Join the community today
Register Now

Security OpenSSL 1.0.2f & Updating Centmin Mod Nginx SSL Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 26, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    11:38 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    OpenSSL 1.0.2f Release Information




    OpenSSL folks are releasing OpenSSL 1.0.2f and 1.0.1r security updates on Jan 28, 2016 http://openssl.org/news/secadv/20160128.txt:
    • DH small subgroups (CVE-2016-0701) (Redhat/CentOS 5, 6 and 7 system OpenSSL yum package NOT vulnerable as applies to OpenSSL 1.0.2 only - however Centmin Mod Nginx may use OpenSSL 1.0.2 statically so needs an update if so)
    • SSLv2 doesn't block disabled ciphers (CVE-2015-3197) (Redhat rated low impact)
    • An update on DHE man-in-the-middle protection (Logjam)
    Note, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2f, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates. However, LibreSSL 2.2.6 has been released too - Security - LibreSSL 2.2.6 Security Fix Release | Centmin Mod Community

    Centmin Mod LEMP Upgrade OpenSSL 1.0.2f



    For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.0.2f is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

    For Centmin Mod 1.2.3-eva2000.08 stable you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.2f' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update for CentOS



    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    http://openssl.org/news/secadv/20160128.txt:
    • DH small subgroups (CVE-2016-0701) (Redhat/CentOS 5, 6 and 7 system OpenSSL yum package NOT vulnerable as applies to OpenSSL 1.0.2 only - however Centmin Mod Nginx may use OpenSSL 1.0.2 statically so needs an update if so)
    • SSLv2 doesn't block disabled ciphers (CVE-2015-3197) (Redhat rated low impact)
    • An update on DHE man-in-the-middle protection (Logjam)

    For auto daily updates check out yum-cron for auto updates.

    Code:
    yum list updates -q | grep openssl
    
    Code:
    rpm -qa --changelog openssl | head -n11
    
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.2f'



    Note, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2f, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates. However, LibreSSL 2.2.6 has been released too.

    To update if you are using OpenSSL and not the default Centmin Mod Nginx LibreSSL, edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.2e'
    
    to
    Code:
    OPENSSL_VER='1.0.2f'
    
    Then save centmin.sh. Then run centmin.sh

    or use sed to replace 1.0.2e to 1.0.2f
    Code:
    sed -i "s/OPENSSL_VERSION='1.0.2e'/OPENSSL_VERSION='1.0.2f'/" centmin.sh
    check if OPENSSL_VERSION='1.0.2f'
    Code:
    grep ^OPENSSL centmin.sh
    OPENSSL_VERSION='1.0.2f'   # Use this version of OpenSSL
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.9.9
    4. For Centmin Mod .08 stable users when prompted for OpenSSL recompile select YES. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 154 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.2f using Nginx -V command
     
    Last edited: Jan 29, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    11:38 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    OpenSSL 1.0.2f Update for Centmin Mod Nginx



    OpenSSL 1.0.2f is out https://community.centminmod.com/threads/openssl-1-0-2f-updating-centmin-mod-nginx-ssl-support.5866/

    Updated both Centmin Mod 123.08stable and 123.09beta01 builds for OpenSSL 1.0.2f release for Centmin Mod Nginx folks who may use OpenSSL 1.0.2 (123.08stable and higher default to using LibreSSL instead of OpenSSL, unless you use Phusion Passenger addon which reverts Centmin Mod Nginx back from LibreSSL to OpenSSL 1.0.2).

    To update Centmin Mod Nginx, read instructions here or below.

    http://openssl.org/news/secadv/20160128.txt
    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

    Upgrading Centmin Mod Code to Latest Version



    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at Upgrade - How to upgrade Centmin Mod. In this case after updating Centmin Mod code, read instructions here and run centmin.sh menu option 4 to recompile Nginx which already has centmin.sh variable updated to 1.0.2f
      Code:
      OPENSSL_VERSION='1.0.2f'
     
    Last edited: Jan 29, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    11:38 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code:
    nginx -V
    If using LibreSSL, built with line will list such
    Code:
    nginx -V
    nginx version: nginx/1.9.10
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.6
    If using OpenSSL, built with line will list such
    Code:
    nginx -V          
    nginx version: nginx/1.9.10
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2f  28 Jan 2016
    
     
    Last edited: Jan 29, 2016
Thread Status:
Not open for further replies.