Learn about Centmin Mod LEMP Stack today
Become a Member

Security OpenSSL March 2018: OpenSSL 1.0.2o & 1.1.0h Updates + Centmin Mod Nginx

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Mar 22, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    36,422
    7,994
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,308
    Local Time:
    10:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Next week on March 27th, 2018, OpenSSL 1.0.2o and 1.1.0h security updates will be released [openssl-announce] Forthcoming OpenSSL releases

     
    • Informative Informative x 4
  2. bassie

    bassie Active Member

    982
    235
    43
    Apr 29, 2016
    Ratings:
    +695
    Local Time:
    2:34 PM
    Released of of today.
    Not something to really worry about as it is flagged as MODERATE (Second to last).

    OpenSSL 1.1.0 vulnerabilities:
    /news/vulnerabilities.html
     
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    36,422
    7,994
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,308
    Local Time:
    10:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x

    OpenSSL 1.0.2o & 1.1.0h Release Information



    OpenSSL folks are releasing OpenSSL 1.1.0h and 1.0.2o updates [change log]. Centmin Mod 123.08stable only supports OpenSSL 1.0.2o for Nginx SSL. Centmin Mod 123.09beta01 supports both OpenSSL 1.1.0h and 1.0.2o for Nginx SSL.

    Notes:


    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2o, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.5 branch.
    • After Feb 24th, 2018, Centmin Mod 123.09beta01 switched back to OpenSSL defaults as at Feb 24, 2018

    Centmin Mod LEMP Upgrade OpenSSL 1.1.0h or 1.0.2o



    For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL.

    For Centmin Mod 1.2.3-eva2000.08 stable (123.08stable use 1.0.2o) and higher (including betas like 123.09beta01 use 1.1.0h) you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.1.0h' or OPENSSL_VER='1.0.2o' variable set. Check your updated Centmin Mod centmin.sh to see if OPENSSL_VER='1.1.0h' or OPENSSL_VER='1.0.2o' is set. If not set, then you need to manually update and edit your server copy of by setting OPENSSL_VER='1.1.0h' or OPENSSL_VERSION='1.0.2o' in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it
      Code (Text):
      OPENSSL_VERSION='1.1.0h'
      or
      Code (Text):
      OPENSSL_VERSION='1.0.2o'
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code (Text):
     ldd `which nginx` | grep ssl


    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update for CentOS



    These OpenSSL 1.0.2o and 1.1.0h updates are not applicable to CentOS 7.3 and lower system OpenSSL which is on 1.0.1x branch. But if updated to CentOS 7.4 it rebased to OpenSSL 1.0.2 branch so maybe have an update.

    Nginx recompile with OpenSSL 1.1.0h or 1.0.2o



    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2o, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.5 branch.
    • After Feb 24th, 2018, Centmin Mod 123.09beta01 switched back to OpenSSL defaults as at Feb 24, 2018
    To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:
    1. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at https://centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.0.2o' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.0.2o' is set.
    2. If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.0.2o' set, then you need to manually update and edit your server copy of by setting OPENSSL_VER='1.1.0h' or OPENSSL_VER='1.0.2o' in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it
      Code (Text):
      OPENSSL_VERSION='1.0.2o'
      or
      Code (Text):
      OPENSSL_VERSION='1.1.0h'
      Then run centmin.sh menu option 4 to recompile Nginx. When prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) ). Then when prompted specify Nginx version = 1.13.10 or newer. Let Nginx recompile run to completion, it should say Nginx installed successfully. Check if Nginx compiled against 1.0.2o using Nginx -V command
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.13.10
    built by gcc 8.0.1 20180318 (experimental) (GCC)
    built with LibreSSL 2.7.0


    If using OpenSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.13.10
    built by gcc 8.0.1 20180318 (experimental) (GCC)
    built with OpenSSL 1.1.0h  27 Mar 2018
    
     
  4. Jimmy

    Jimmy Premium Member Premium Member

    1,379
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +713
    Local Time:
    8:34 AM
    1.13.x
    MariaDB 10.1.x
    Just did a nginx update.

    Code:
    nginx -V
    nginx version: nginx/1.13.10
    built by gcc 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC)
    built with OpenSSL 1.1.0h  27 Mar 2018
    TLS SNI support enabled
    Code:
    LETSENCRYPT_DETECT='n'
    NGXDYNAMIC_BROTLI='y'
    NGINX_LIBBROTLI='y'
    PHP_PGO='y'
    NGINX_UPDATEMAINTENANCE='y'
    PHP_UPDATEMAINTENANCE='y'
    MARIADB_UPDATEMAINTENANCE='y'
    NGINX_PAGESPEED='y'
    NGXDYNAMIC_NGXPAGESPEED='y'
    NGINX_IPV='y'
    NGINX_MP4='y'
    PHP_OVERWRITECONF='n'
    NGINXBACKUP='n'
    Not sure my post Feb 25th 2016 123.09beta01 install is using LibreSSL by default.
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,422
    7,994
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,308
    Local Time:
    10:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Need to update that Centmin Mod 123.09beta01 switched back to OpenSSL defaults as at Feb 24, 2018
     
    • Informative Informative x 1
  6. rdan

    rdan Premium Member Premium Member

    4,308
    1,044
    113
    May 25, 2014
    Ratings:
    +1,504
    Local Time:
    8:34 PM
    Mainline
    10.2
     
    • Informative Informative x 1
  7. Sunka

    Sunka Well-Known Member

    1,021
    281
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +459
    Local Time:
    2:34 PM
    Nginx 1.15.0
    MariaDB 10.2.15
     
    • Informative Informative x 1
  8. ArisC

    ArisC Active Member

    113
    27
    28
    Jun 1, 2017
    Ratings:
    +52
    Local Time:
    3:34 PM
    Nginx Latest
    MariaDB Latest
    Code:
    nginx version: nginx/1.13.10
    built by gcc 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC)
    built with OpenSSL 1.1.0h  27 Mar 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=x86-64 -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.31 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0h --with-openssl-opt='enable-ec_nistp_64_gcc_128'
     
    • Informative Informative x 1
..