Learn about Centmin Mod LEMP Stack today
Become a Member

Security OpenSSL 1.0.2d & LibreSSL 2.2.1 Released & Updating Centmin Mod Nginx SSL Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jul 8, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    OpenSSL 1.0.2d & LibreSSL 2.2.1 Release Information



    Redhat/CentOS system OpenSSL isn't affected by CVE-2015-1793 flaw, but for Centmin Mod users' Nginx static compiled OpenSSL would need updating - see below for instructions via centmin.sh menu option 4.


    From Openssl.org for OpenSSL 1.02d and OpenSSL 1.01p specifically

    RedHat/CentOS System OpenSSL Not Affected



    From Redhat (applies to CentOS)
    • OpenSSL: Alternative chains certificate forgery vulnerability (CVE-2015-1793) - Red Hat Customer Portal - No Red Hat products are affected by the CVE-2015-1793 flaw. No actions need to be performed to fix or mitigate this issue in any way.
      • The OpenSSL project has published information about an important vulnerability (CVE-2015-1793) affecting openssl versions 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c.
      • These upstream versions have only been available for a month, and given Red Hat's policy of performing careful backports of important bug fixes and selected features, this functionality is not present in any version of OpenSSL shipped in any Red Hat product.

    Centmin Mod LEMP Upgrade OpenSSL 1.0.2d



    For LibreSSL 2.2.1 read here.

    For Centmin Mod LEMP stack 1.2.3-eva2000.07 stable, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.0.2d is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

    For Centmin Mod 1.2.3-eva2000.07 stable you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.2d' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.

    System OpenSSL update for CentOS



    Note:
    • No Red Hat products are affected by the CVE-2015-1793 flaw. No actions need to be performed to fix or mitigate this issue in any way.
    • After system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.
    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    For auto daily updates check out yum-cron for auto updates.

    Code:
    yum list updates -q | grep openssl
    n/a not affected by CVE-2015-1793 flaw
    
    Code:
    rpm -qa --changelog openssl | head -n11
    n/a not affected by CVE-2015-1793 flaw
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.2d'



    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.

    To do this edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.2c'
    
    to
    Code:
    OPENSSL_VER='1.0.2d'
    
    Then save centmin.sh. Then run centmin.sh

    or use sed to replace 1.0.2c to 1.0.2d
    Code:
    sed -i "s/OPENSSL_VERSION='1.0.2c'/OPENSSL_VERSION='1.0.2d'/" centmin.sh
    check if OPENSSL_VERSION='1.0.2d'
    Code:
    grep ^OPENSSL centmin.sh
    OPENSSL_VERSION='1.0.2d'   # Use this version of OpenSSL
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.9.1
    4. For Centmin Mod .07 stable users when prompted for OpenSSL recompile select YES. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 154 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.2d using Nginx -V command
    should see

     
    Last edited: Jul 10, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 1.2.3-eva2000.08 beta03+ LibreSSL 2.2.1



    LibreSSL is not affected by CVE-2015-1793 flaw.

    While Centmin Mod 1.2.3-eva2000.07 stable uses OpenSSL for Nginx compile, Centmin Mod .08 beta03 has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here. LibreSSL 2.2.1 is now a stable release http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.1-relnotes.txt.

    Github LibreSSL changelog portable/ChangeLog at master · libressl-portable/portable · GitHub

    When LibreSSL 2.2.1 stable make sure the tagged version is available on Github Tags · libressl-portable/portable · GitHub and then you can update it via editing centmin.sh

    from
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.0'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.1'   # Use this version of LibreSSL http://www.libressl.org/
    or can do it via sed replacement on centmin.sh within centmin mod directory

    Code:
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.2.0'|LIBRESSL_VERSION='2.2.1'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh 
    And then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx. For example:

    More details on Centmin Mod .08 beta03 release here.

    LibreSSL 2.2.1



    You'll find latest LibreSSL 2.2.1 on official site.

     
    Last edited: Jul 11, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Example for updating Centmin Mod .08 beta 03's Nginx LibreSSL from 2.2.0 to 2.2.1

    Change into Centmin Mod .08 beta03 directory /usr/local/src/centminmod-123.08beta03 (cmd shortcut = cmdir) and sed replace version number and check with grep
    Code:
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.2.0'|LIBRESSL_VERSION='2.2.1'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh 
    Then run centmin.sh menu option 4 to recompile Nginx 1.9.2

    libressl221-update.gif
     
  4. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    11:30 AM
    latest
    latest
  5. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    doh need to update :)

    edit: updated now cheers :D

    I should switch it back to official download url. The local hosted one was when openssl.org had downtime in the past heh. FYI, .08 beta03 latest already as official openssl.org download link. Just .07 stable doesn't
     
    Last edited: Jul 10, 2015
  6. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    LibreSSL 2.2.2 snuck up on us and was released 6 days ago LibreSSL Updating to LibreSSL 2.2.2 is same as outlined upgrade steps in post 2 above for LibreSSL 2.2.1 :)

    Fresh .08 stable installed fine :)

    Code:
    ---------------------------------------------------------------------------
    Total Curl Installer YUM Time: 96.9328 seconds
    Total YUM Time: 48.085138538 seconds
    Total YUM + Source Download Time: 75.3329
    Total Nginx First Time Install Time: 163.5489
    Total PHP First Time Install Time: 124.2385
    Download Zip From Github Time: 2.8755
    Total Time Other eg. source compiles: 210.7174
    Total Centmin Mod Install Time: 573.8377
    ---------------------------------------------------------------------------
    Total Install Time (curl yum + cm install + zip download): 673.6460 seconds
    ---------------------------------------------------------------------------
     
    Last edited: Aug 11, 2015
  7. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    11:30 AM
    Mainline
    10.2
    Will stable branch will have an update also?
     
  8. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    11:30 AM
    Mainline
    10.2
  9. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah 123.08stable and 123.09beta01 got updated :)