Welcome to Centmin Mod Community
Become a Member

Security OpenSSL 1.0.2c & LibreSSL 2.2.0 Released & Updating Centmin Mod Nginx SSL Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jun 11, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    6:45 AM
    Nginx 1.13.x
    MariaDB 5.5

    OpenSSL 1.0.2c & LibreSSL 2.2.0 Release Information



    From Openssl.org for OpenSSL 1.02b and OpenSSL 1.02c specifically

    From Redhat (applies to CentOS)

    Centmin Mod LEMP Upgrade OpenSSL 1.0.2c



    For LibreSSL 2.2.0 read here.

    For Centmin Mod LEMP stack 1.2.3-eva2000.07 stable, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.0.2c is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

    For Centmin Mod 1.2.3-eva2000.07 stable you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.2c' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.

    System OpenSSL update for CentOS



    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    For auto daily updates check out yum-cron for auto updates.

    Code:
    yum list updates -q | grep openssl
    TBA
    
    Code:
    rpm -qa --changelog openssl | head -n11
    TBA
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.2c'



    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.

    To do this edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.2a'
    
    to
    Code:
    OPENSSL_VER='1.0.2c'
    
    Then save centmin.sh. Then run centmin.sh

    or use sed to replace 1.0.2a to 1.0.2c
    Code:
    sed -i "s/OPENSSL_VERSION='1.0.2a'/OPENSSL_VERSION='1.0.2c'/" centmin.sh
    check if OPENSSL_VERSION='1.0.2c'
    Code:
    grep ^OPENSSL centmin.sh
    OPENSSL_VERSION='1.0.2c'   # Use this version of OpenSSL
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.9.1
    4. For Centmin Mod .07 stable users when prompted for OpenSSL recompile select YES. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 154 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.2c using Nginx -V command
    should see

     
    Last edited: Jun 13, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    6:45 AM
    Nginx 1.13.x
    MariaDB 5.5

    Centmin Mod 1.2.3-eva2000.08 beta03+ LibreSSL



    While Centmin Mod 1.2.3-eva2000.07 stable uses OpenSSL for Nginx compile, Centmin Mod .08 beta03 has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here. Currently, LibreSSL 2.1.6 is used with LibreSSL 2.2.0 coming soon - LibreSSL 2.2.0 is now a stable release http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.0-relnotes.txt.

    Github LibreSSL changelog portable/ChangeLog at master · libressl-portable/portable · GitHub

    When LibreSSL 2.2.0 stable make sure the tagged version is available on Github Tags · libressl-portable/portable · GitHub and then you can update it via editing centmin.sh

    from
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.1.6'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.0'   # Use this version of LibreSSL http://www.libressl.org/
    And then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx. For example:

    More details on Centmin Mod .08 beta03 release here.

    LibreSSL 2.2.0



    Looks like LibreSSL 2.2.0 also fixes these security bugs CVE-2015-1788, CVE-2015-1789, , CVE-2015-1790, CVE-2015-1792, and CVE-2015-1791 from LibreSSL/history - FreeBSD Wiki

     
    Last edited: Jun 13, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    6:45 AM
    Nginx 1.13.x
    MariaDB 5.5

    LibreSSL 2.2.0 on Centmin Mod .08 beta03 Only



    LibreSSL 2.2.0 stable also released http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.0-relnotes.txt. You can update Centmin Mod .08 beta03 as per LibreSSL 2.1.6 to 2.2.0 instructions.

    Edit: seems Github hasn't updated to LibreSSL 2.2.0 tagged version yet so upgrades might not work yet Tags · libressl-portable/portable · GitHub. Once you see tagged LibreSSL 2.2.0 available, you should be able to update it.

    If you can't wait for LibreSSL tagged 2.2.0 release, you still have option to switch back to OpenSSL by editing centmin.sh and change LIBRESSL_SWITCH='y' to LIBRESSL_SWITCH='n' and OPENSSL_VER='1.0.2c' then run centmin.sh menu option 4 to recompile Nginx with OpenSSL 1.02c :)

    Edit 2: Seems LibreSSL portable github master branch is LibreSSL 2.2.0, so you can manually download it to /svr-setup before editing LIBRESSL_VERSION='2.2.0' and running centmin.sh menu option 4 to recompile Nginx.

    manually download and rename LibreSSL Portable 2.2.0 master to name format that centmin.sh expects.
    Code:
    wget -O /svr-setup/libressl-portable-v2.2.0.tar.gz https://github.com/libressl-portable/portable/archive/master.tar.gz
    cd /svr-setup
    tar xvzf libressl-portable-v2.2.0.tar.gz
    mv /svr-setup/portable-master /svr-setup/portable-2.2.0
     
    Last edited: Jun 13, 2015
  4. Steve Tozer

    Steve Tozer Member

    70
    42
    18
    Jul 28, 2014
    South Wales, UK
    Ratings:
    +49
    Local Time:
    8:45 PM
    1.91
    10.0.19
    LibreSSL tag for new version on github seems to have been updated now
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    6:45 AM
    Nginx 1.13.x
    MariaDB 5.5
  6. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    6:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    New high severity bug fix with release of OpenSSL 1.0.2d and 1.0.1p due this Thursday July 9th, 2015 [openssl-announce] Forthcoming OpenSSL releases Here we go again :)

    Looks like LibreSSL 2.2.1 is shaping up too portable/ChangeLog at master · libressl-portable/portable · GitHub
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    6:45 AM
    Nginx 1.13.x
    MariaDB 5.5