Security LibreSSL 2.2.6 Security Fix Release

Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.2.6

LibreSSL 2.2.6 is now the stable release with a few bug and security fixes for following:

Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.2.6 for new fresh installs. For existing folks, follow below update instructions.

While Centmin Mod 1.2.3-eva2000.07 stable used OpenSSL for Nginx compile, Centmin Mod .08+ has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here.

Centmin Mod Nginx Update LibreSSL

For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.2.6 via 2 steps.

Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.2.5. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.2.6' set.

If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

---

from

Code:

# LibreSSL
LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
LIBRESSL_VERSION='2.2.5'   # Use this version of LibreSSL http://www.libressl.org/

to

Code:

# LibreSSL
LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
LIBRESSL_VERSION='2.2.6'   # Use this version of LibreSSL http://www.libressl.org/

or can do it via sed replacement on centmin.sh within centmin mod directory

Code:

cmdir
sed -i "s|LIBRESSL_VERSION='2.2.5'|LIBRESSL_VERSION='2.2.6'|g" centmin.sh
grep LIBRESSL_VERSION centmin.sh

Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.10.

For example after recompile Nginx version output will show built with LibreSSL 2.2.6

for 123.08 stable

for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

LibreSSL 2.2.6

You'll find latest LibreSSL 2.2.6 on official site.

 

Alternatively, to update Centmin Mod Nginx, read instructions here or below.

To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

• Centmin Mod 1.2.3-eva2000.08 stable install & update thread
• Centmin Mod 123.09beta thread

Upgrading Centmin Mod Code to Latest Version

Upgrading Centmin Mod involves 2 parts.

1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to.
2. Upgrade software that Centmin Mod installed or manages. For this part following outline at Upgrade - How to upgrade Centmin Mod. In this case after updating Centmin Mod code, read instructions here and run centmin.sh menu option 4 to recompile Nginx which already has centmin.sh variable updated to 2.2.6
   Code:

   LIBRESSL_VERSION='2.2.6'

 

You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command

Code:

nginx -V

If using LibreSSL, built with line will list such

Code:

nginx -V
nginx version: nginx/1.9.10
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.2.6

If using OpenSSL, built with line will list such

Code:

nginx -V          
nginx version: nginx/1.9.10
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.0.2f  28 Jan 2016

 

Note Centmin Mod 123.09beta01 implemented LibreSSL geo location mirror mapping https://community.centminmod.com/posts/24955/

So not all mirrors for LibreSSL listed at Getting OpenBSD have 2.2.6 LibreSSL version populated yet.

FYI, just updated 123.09beta01 with mirror checking routine for LibreSSL so if the mirror url doesn't have the LibreSSL version populated it will fall back to main download link.

Example, My Virtualbox server located in Australia detected AU mirror but fellback to main USA download link as Australian mirror doesn't have the LibreSSL version

Code:

AU server detected
Download libressl-2.2.6.tar.gz ...
Initializing download: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.6.tar.gz
File size: 2965531 bytes
Opening output file libressl-2.2.6.tar.gz
Starting download

Connection 2 finished                                                          ]
Connection 3 finished                                                          ]
Connection 1 finished                                                          ]
Connection 0 finished                                                          ]

Downloaded 2.8 Megabyte in 4 seconds. (602.36 KB/s)
Download done.
libressl-2.2.6.tar.gz valid file.

 

LibreSSL 2.3.3 is out with fixed Nginx 1.9.12 compatibility so can switch 123.09beta01 back from Nginx + OpenSSL 1.0.2g default to Nginx + LibreSSL 2.3.3 default Security - LibreSSL 2.3.3 Released | Centmin Mod Community