Join the community today
Become a Member

Nginx Nginx + OpenSSL 3.1 Testing

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Mar 29, 2023.

  1. eva2000

    eva2000 Administrator Staff Member

    52,721
    12,073
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,599
    Local Time:
    1:50 PM
    Nginx 1.25.x
    MariaDB 10.x
    OpenSSL 1.1.1 is EOL on September 11, 2023 so just over 6 months to go. OpenSSL 3.1 is next LTS release. So folks can start testing Nginx built against OpenSSL 3.1.0 instead of OpenSSL 1.1.1 using persistent config override variables set in /etc/centminmod/custom_config.inc below:
    Code (Text):
    OPENSSL_VERSION='3.1.0'   # Use this version of OpenSSL http://openssl.org/
    OPENSSL_VERSIONFALLBACK='3.1.0'   # fallback if OPENSSL_VERSION uses openssl 1.1.x branch
    OPENSSL_VERSION_OLDOVERRIDE='3.1.0' # override version if persist config OPENSSL_VERSION variable is out of date
    

    Then run centmin.sh menu option 4 to recompile latest Nginx version which is 1.23.4 just released.



     
  2. buik

    buik “The best traveler is one without a camera.”

    1,981
    517
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,644
    Local Time:
    5:50 AM
    I think it would be smart to switch to Red Hat's OpenSSL 1.1.1 with support still available for several years. Just like the Centmin Mod 8 beta case on Red Hat's MariaDB 10.3. Where upstream MariaDB 10.3 support is finite in a month+ but Red Hat still supports it until 2029.

    Going back to OpenSSL.
    OpenSSL 3.1, is way to fresh and unstable at the moment.

    Same goes for the already released Centmin Mod 7.
    Red Hat's OpenSSL 1.1.1 is also available for EL7 on EPEL.
    So it shouldn't be a problem for EL7 either.
     
  3. eva2000

    eva2000 Administrator Staff Member

    52,721
    12,073
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,599
    Local Time:
    1:50 PM
    Nginx 1.25.x
    MariaDB 10.x
    For EL8 for sure system OpenSSL 1.1.1 is default so maybe
    Yeah haven't looked at that as an option though on EL7
     
  4. eva2000

    eva2000 Administrator Staff Member

    52,721
    12,073
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,599
    Local Time:
    1:50 PM
    Nginx 1.25.x
    MariaDB 10.x
    Ok added for Nginx to be able to optionally build against system OpenSSL version, meaning Nginx can be built against EL8's OpenSSL 1.1.1k or EL9's OpenSSL 3.0.7 versions now as well https://community.centminmod.com/th...r-nginx-system-openssl-in-130-00beta01.24213/ :)

    Was curious about your comment on CentOS 7's OpenSSL 1.1.1 package, but that doesn't seem to have up to date backported security fixes, seems last fix was Feb 19, 2023

    On CentOS 7
    Code (Text):
    repoquery --changelog openssl11
    * Sun Feb 19 2023 Robert Scheck <robert@fedoraproject.org> 1.1.1k-5
    - backport from 1.1.1k-9: Fixed Timing Oracle in RSA Decryption
      Resolves: CVE-2022-4304
    - backport from 1.1.1k-9: Fixed Double free after calling PEM_read_bio_ex
      Resolves: CVE-2022-4450
    - backport from 1.1.1k-9: Fixed Use-after-free following BIO_new_NDEF
      Resolves: CVE-2023-0215
    - backport from 1.1.1k-9: Fixed X.400 address type confusion in X.509 GeneralName
      Resolves: CVE-2023-0286
    - backport from 1.1.1k-8: Fix no-ec build
      Resolves: rhbz#2071020
    

    Though seems that is same as EL8's OpenSSL 1.1.1 package - so I guess it's in sync
    Code (Text):
     repoquery --changelog openssl
    Last metadata expiration check: 0:00:05 ago on Sun 29 Oct 2023 12:48:52 AM EDT.
    Changelog for openssl-1:1.1.1k-9.el8_7.x86_64
    * Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
    - Fixed Timing Oracle in RSA Decryption
      Resolves: CVE-2022-4304
    - Fixed Double free after calling PEM_read_bio_ex
      Resolves: CVE-2022-4450
    - Fixed Use-after-free following BIO_new_NDEF
      Resolves: CVE-2023-0215
    - Fixed X.400 address type confusion in X.509 GeneralName
      Resolves: CVE-2023-0286
    


    but both EL8 system and EPEL7 OpenSSL 1.1.1k are missing newer security fixes since OpenSSL 1.1.1u https://www.openssl.org/news/vulnerabilities-1.1.1.html