Security OpenSSL November 2017: OpenSSL 1.0.2m & 1.1.0g Updates + Centmin Mod Nginx

OpenSSL 1.0.2m & 1.1.0g Release Information

OpenSSL folks are releasing OpenSSL 1.1.0g and 1.0.2m updates [change log]. Centmin Mod 123.08stable only supports OpenSSL 1.0.2m for Nginx SSL. Centmin Mod 123.09beta01 supports both OpenSSL 1.1.0g and 1.0.2m for Nginx SSL.

Change log /news/changelog.html

Notes:

• Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2m, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
• After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.4 branch.

Centmin Mod LEMP Upgrade OpenSSL 1.0.2m

For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL.

For Centmin Mod 1.2.3-eva2000.08 stable (123.08stable) and higher (including betas) you need to do 2 updates:

1. System OpenSSL update for CentOS
2. Nginx recompile with OPENSSL_VER='1.0.2m' variable set. Check your updated Centmin Mod centmin.sh to see if OPENSSL_VER='1.0.2m' is set. If not set, then you need to manually update and edit your server copy of by setting OPENSSL_VERSION='1.0.2m' in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it
   Code (Text):

   OPENSSL_VERSION='1.0.2m'

Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

Code (Text):

 ldd `which nginx` | grep ssl

will come back empty for Centmin Mod Nginx based servers.

System OpenSSL update for CentOS

These OpenSSL 1.0.2m and 1.1.0g updates are not applicable to CentOS 7.3 and lower system OpenSSL which is on 1.0.1x branch. But if updated to CentOS 7.4 it rebased to OpenSSL 1.0.2 branch so maybe have an update.

Nginx recompile with OPENSSL_VER='1.0.2m'

• Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2m, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
• After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.5 branch.

To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:

1. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.0.2m' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.0.2m' is set.
2. If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.0.2m' set, then you need to manually update and edit your server copy of by setting OPENSSL_VERSION='1.0.2m' in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it
   Code (Text):

   OPENSSL_VERSION='1.0.2m'

   Then run centmin.sh menu option 4 to recompile Nginx. When prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ). Then when prompted specify Nginx version = 1.13.6 or newer. Let Nginx recompile run to completion, it should say Nginx installed successfully. Check if Nginx compiled against 1.0.2m using Nginx -V command

You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command

Code (Text):

nginx -V

If using LibreSSL, built with line will list such

Code (Text):

nginx -V
nginx version: nginx/1.13.6
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.5.5

If using OpenSSL, built with line will list such

Code (Text):

nginx -V
nginx version: nginx/1.13.6
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.1.0g  2 Nov 2017

 

Centmin Mod Nginx only uses OpenSSL 1.0.2+ or LibreSSL 2.4/2.5 for 123.08stable or OpenSSL 1.1.0+ or LibreSSL 2.5 for 123.09beta01.. Centmin Mod 123.09beta01 supports using OpenSSL 1.1.0+ branch as well.

Updating if you're on previous OpenSSL 1.1.0f version it is easy as updating the overridden version in /etc/centminmod/custom_config.inc and then recompiling Nginx via centmin.sh menu option. Just set the same.

Code (Text):

OPENSSL_VERSION='1.1.0g'
LIBRESSL_SWITCH='n'

You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command

Code (Text):

nginx -V

If using LibreSSL, built with line will list such

Code (Text):

nginx -V
nginx version: nginx/1.13.6
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.5.5

If using OpenSSL 1.1.0g, built with line will list such

Code (Text):

nginx -V
nginx version: nginx/1.13.6
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.1.0g  2 Nov 2017

You don't need to update to OpenSSL 1.1.0g if you are using either LibreSSL 2.5.5 or OpenSSL 1.0.2m unless you want to try out OpenSSL 1.1.0g.

Lua Nginx Compatibility With OpenSSL 1.1.0+ Branch

Note, if you use Lua nginx module and set in persistent config /etc/centminmod/custom_config.inc the following variables

Code (Text):

NGXDYNAMIC_LUA='y'
ORESTY_LUANGINX='y'

Then on nginx recompile, Centmin Mod falls back to OpenSSL 1.0.2 branch for 1.0.2m version as Lua Nginx module is not 100% compatible with LibreSSL nor is it compatible with OpenSSL 1.1.0 branch.

 

Tip, before you run a specific centmin.sh menu command, you can also ensure Centmin Mod code in /usr/local/src/centminmod is alway up to date by running centmin.sh menu option 23 submenu option 2 and then exiting centmin.sh via menu option 24, then re-run centmin.sh.

Or you can use equivalent git pull command to update. Which is what auto update via cronjob outlined does here Beta Branch - Cronjob Auto Updating Centmin Mod Code Guide

This is how i update Centmin Mod code

Code (Text):

cmdir
git stash
git pull
./centmin.sh

As the update is outside of centmin.sh menu run, i do not need to exit centmin.sh and re-run centmin.sh.
example of git pull output

Code (Text):

git pull
Updating 38026f2..a0e8590
Fast-forward
 addons/golang.sh                           |    2 +-
 centmin.sh                                 |    8 ++++----
 config/memcached/memcached                 |    4 ++--
 config/memcached/memcached-socketfix.patch |    4 ++--
 config/memcached/memcached2                |    4 ++--
 example/custom_config.inc                  |    4 ++--
 inc/cpcheck.inc                            |   19 +++++++++++--------
 inc/memcached_install.inc                  |    3 +++
 inc/nginx_patch.inc                        |    2 +-
 inc/openssl_install.inc                    |   10 ++++++----
 tools/nginxupdate.sh                       |    4 ++--
 11 files changed, 36 insertions(+), 28 deletions(-)

So on this Centmin Mod server's local code at /usr/local/src/centminmod there was 11 files needing update.

 

For CentOS system OpenSSL

• CVE-2017-3735 - low will not fix
• CVE-2017-3736 - doesn't seem to be a Redhat CVE for it yet and only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. See https://nvd.nist.gov/vuln/detail/CVE-2017-3736

Update according to CVE-2017-3736 - Red Hat Customer Portal, affects Redhat / CentOS 7 only.

 

updated

 

Yup typo

 

Update according to CVE-2017-3736 - Red Hat Customer Portal, affects Redhat / CentOS 7 only so waiting on CentOS 7 yum updates for openssl packages for system while Centmin Mod Nginx openssl is updated via 1st post instructions.