Want to subscribe to topics you're interested in?
Become a Member

Security LibreSSL 2.3.3 Released

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Mar 23, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:20 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.3.3



    LibreSSL 2.3.3 is now the stable release with a few bug and nginx 1.9.12 compatibility fixes for following:

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.3.3 for new fresh installs. For existing folks, follow below update instructions.

    Centmin Mod Nginx Update LibreSSL




    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.3.3 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.3.3. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.3.3' set.

    If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

    from
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.6'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.3.3'   # Use this version of LibreSSL http://www.libressl.org/
    or can do it via sed replacement on centmin.sh within centmin mod directory

    Code:
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.2.6'|LIBRESSL_VERSION='2.3.3'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh
    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.12.

    For example after recompile Nginx version output will show built with LibreSSL 2.3.3

    for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

    LibreSSL 2.3.3



    You'll find latest LibreSSL 2.3.3 on official site.
     
    Last edited: Mar 23, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:20 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Alternatively, to update Centmin Mod Nginx, read instructions here or below.

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

    Upgrading Centmin Mod Code to Latest Version



    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at Upgrade - How to upgrade Centmin Mod. In this case after updating Centmin Mod code, read instructions here and run centmin.sh menu option 4 to recompile Nginx which already has centmin.sh variable updated to 2.3.3
      Code:
      LIBRESSL_VERSION='2.3.3'
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:20 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code:
    nginx -V
    If using LibreSSL, built with line will list such
    Code:
    nginx -V
    nginx version: nginx/1.9.12
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.3.3
    If using OpenSSL, built with line will list such
    Code:
    nginx -V
    nginx version: nginx/1.9.12
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) 
    built with OpenSSL 1.0.2g  1 Mar 2016
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:20 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Did fresh 123.09beta01 install with CentOS 7.2 64bit with Nginx and LibreSSL 2.3.3 defaults again which is faster at 686 seconds total versus Nginx with OpenSSL which is ~870 seconds total install time.
    Code (Text):
    ---------------------------------------------------------------------------
    Total Curl Installer YUM Time: 90.8828 seconds
    Total YUM Time: 34.713579895 seconds
    Total YUM + Source Download Time: 51.7102
    Total Nginx First Time Install Time: 99.9429
    Total PHP First Time Install Time: 235.9914
    Download Zip From Github Time: 3.9206
    Total Time Other eg. source compiles: 203.6647
    Total Centmin Mod Install Time: 591.3093
    ---------------------------------------------------------------------------
    Total Install Time (curl yum + cm install + zip download): 686.1127 seconds
    ---------------------------------------------------------------------------
     
  5. arlon

    arlon Member

    95
    6
    8
    Feb 20, 2016
    Ratings:
    +12
    Local Time:
    2:20 PM
    1.13.6
    10.1
    Last edited: Mar 23, 2016
  6. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    7:20 AM
    1.9.x
    10.1.x
  7. arlon

    arlon Member

    95
    6
    8
    Feb 20, 2016
    Ratings:
    +12
    Local Time:
    2:20 PM
    1.13.6
    10.1
    what is better? openssl or libressl?
     
  8. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:20 PM
    Mainline
    10.2
    I'll wait for Nginx 1.9.13 then use this :)
     
  9. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    7:20 AM
    1.9.x
    10.1.x
    My Opinion:

    1º - Openssl with chacha patch from Cloudflare
    2º - Libressl
    3º - Openssl without the patch