Discover Centmin Mod today
Register Now

Security LibreSSL May 2017: LibreSSL 2.5.4 Stable Release

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, May 4, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:30 PM
    Nginx 1.13.x
    MariaDB 5.5

    Centmin Mod + LibreSSL 2.5.4



    LibreSSL 2.5.4 is now latest stable release https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.4-relnotes.txt:

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.5.4 for new fresh installs. For existing folks, follow below update instructions.

    Centmin Mod Nginx Update LibreSSL



    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.5.4 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.5.4. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.5.4' set.

    Check your updated Centmin Mod centmin.sh to see if LIBRESSL_VERSION='2.5.4' is set. If not set and you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it:

    Code (Text):
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.5.4'   # Use this version of LibreSSL http://www.libressl.org/


    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.13.0+ or newer.

    For example after recompile Nginx version output will show built with LibreSSL 2.5.4

    For 123.09 beta01

    LibreSSL 2.5.4



    You'll find latest LibreSSL 2.5.4 on official site.
     
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    hmm seems LibreSSL 2.5.1 to 2.5.3 have security vulnerability - CVE-2017-8301: TLS verification vulnerability in LibreSSL 2.5.1 - 2.5.3. Seems this was fixed in LibreSSL 2.5.4 https://community.centminmod.com/threads/may-2017-libressl-2-5-4-stable-release.11604/#post-49511

    For now, Centmin Mod Nginx users can manually switch their Nginx builds from LibreSSL back to using OpenSSL following these steps:

    Updating Centmin Mod Nginx For LibreSSL CVE-2017-8301



    1. Create or edit your persistent config file at /etc/centminmod/custom_config.inc and add this variable to switch off LibreSSL default usage in Centmin Mod Nginx and switch back to using OpenSSL which defaults to OPENSSL_VERSION defined OpenSSL 1.0.2k right now
    Code (Text):
    LIBRESSL_SWITCH='n'
    


    2. Run centmin.sh menu option 4, recompile Nginx to use OpenSSL by specifying the Nginx version you want to update to i.e. 1.13.0

    CVE-2017-8301 details



    #1257 (Some nginx TLS tests started failing with LibreSSL 2.5.3) – nginx

     
    Last edited: May 6, 2017
  3. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    Update. Seems LibreSSL 2.5.4 fixed this Some nginx TLS tests started failing with LibreSSL 2.5.3 (but not with 2.4.4) · Issue #307 · libressl-portable/portable · GitHub but their release notes make no mention of this at all as CVE Security issue https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.4-relnotes.txt it was passed off as a bug fix
    So folks who got forum alert, don't need to switch to OpenSSL if they are on LibreSSL 2.5.4 as instructed in 1st post

    2nd post in this thread though highlights how flexible Centmin Mod Nginx is, it can either use LibreSSL or OpenSSL crypto libraries for HTTPS so can switch between them for Nginx HTTPS usage depending on your needs or if urgent security issues or bugs are found as outlined at https://community.centminmod.com/th...bressl-openssl-support-in-123-09beta01.11122/ :)
     
    Last edited: May 6, 2017
    • Like Like x 2
    • Informative Informative x 1
  4. RoldanLT

    RoldanLT Well-Known Member

    3,830
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    12:30 PM
    1.11
    10.2
    I switch back to LibreSSL for now as it has much wider support for CHACHA20_POLY1305.

    upload_2017-6-9_20-29-23.png
     
    • Informative Informative x 1
  5. nfn

    nfn New Member

    11
    0
    1
    Jun 28, 2015
    Ratings:
    +0
    Local Time:
    5:30 AM
    Hi

    Could you share your SSL Ciphers?

    Thanks
     
  6. RoldanLT

    RoldanLT Well-Known Member

    3,830
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    12:30 PM
    1.11
    10.2
    • Informative Informative x 1