Want more timely Centmin Mod News Updates?
Become a Member

Security OpenSSL 1.0.2e & Updating Centmin Mod Nginx SSL Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Dec 4, 2015.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    11:56 AM
    Nginx 1.13.x
    MariaDB 5.5

    OpenSSL 1.0.2e Release Information



    Note, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2e, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.

    OpenSSL 1.0.2e update and security advisories outlined at http://openssl.org/news/secadv/20151203.txt for the following:
    • BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
    • Certificate verify crash with missing PSS parameter (CVE-2015-3194)
    • X509_ATTRIBUTE memory leak (CVE-2015-3195)
    • Race condition handling PSK identify hint (CVE-2015-3196)

    Centmin Mod LEMP Upgrade OpenSSL 1.0.2e



    For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.0.2e is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

    For Centmin Mod 1.2.3-eva2000.08 stable you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.2e' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.

    System OpenSSL update for CentOS



    • BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
    • Certificate verify crash with missing PSS parameter (CVE-2015-3194)
    • X509_ATTRIBUTE memory leak (CVE-2015-3195)
    • Race condition handling PSK identify hint (CVE-2015-3196)

    Note:
    • Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.
    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    For auto daily updates check out yum-cron for auto updates.

    Code:
    yum list updates -q | grep openssl
    
    Code:
    rpm -qa --changelog openssl | head -n11
    
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.2e'



    Note, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2e, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.

    To update if you are using OpenSSL and not the default Centmin Mod Nginx LibreSSL, edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.2d'
    
    to
    Code:
    OPENSSL_VER='1.0.2e'
    
    Then save centmin.sh. Then run centmin.sh

    or use sed to replace 1.0.2d to 1.0.2e
    Code:
    sed -i "s/OPENSSL_VERSION='1.0.2d'/OPENSSL_VERSION='1.0.2e'/" centmin.sh
    check if OPENSSL_VERSION='1.0.2e'
    Code:
    grep ^OPENSSL centmin.sh
    OPENSSL_VERSION='1.0.2e'   # Use this version of OpenSSL
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.9.7
    4. For Centmin Mod .08 stable users when prompted for OpenSSL recompile select YES. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 154 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.2e using Nginx -V command
     
Thread Status:
Not open for further replies.