Welcome to Centmin Mod Community
Become a Member

Security OpenSSL 1.0.2g & Updating Centmin Mod Nginx SSL Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 26, 2016.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    30,131
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    8:05 AM
    Nginx 1.13.x
    MariaDB 5.5

    OpenSSL 1.02g Release Information



    OpenSSL folks are releasing OpenSSL 1.0.2g and 1.0.1s security updates on March 1, 2016 http://openssl.org/news/secadv/20160301.txt:

    Notes:


    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.02g, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL.

    Centmin Mod LEMP Upgrade OpenSSL 1.02g



    For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.02g is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

    For Centmin Mod 1.2.3-eva2000.08 stable (123.08stable) and higher (including betas) you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.02g' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code (Text):
     ldd `which nginx` | grep ssl


    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update for CentOS



    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    Seems CentOS YUM OpenSSL updates are out too

    For CentOS 7
    • openssl 1.0.1e-51.el7_2.4
    Code (Text):
    rpm -qa --changelog openssl | head -n9
    * Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
    - fix CVE-2016-0702 - side channel attack on modular exponentiation
    - fix CVE-2016-0705 - double-free in DSA private key parsing
    - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
    
    * Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
    - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
    - disable SSLv2 in the generic TLS method


    For CentOS 6
    • OpenSSL 1.0.1e-42.el6_7.4
    Code (Text):
    rpm -qa --changelog openssl | head -n9
    * Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
    - fix CVE-2016-0702 - side channel attack on modular exponentiation
    - fix CVE-2016-0705 - double-free in DSA private key parsing
    - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
    
    * Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
    - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
    - disable SSLv2 in the generic TLS method


    For auto daily updates check out yum-cron for auto updates.

    Code (Text):
    yum list updates -q | grep openssl
    


    Code (Text):
    rpm -qa --changelog openssl | head -n11
    


    To update
    Code (Text):
    yum -y update

    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.02g'



    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.02g, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL.

    To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:
    1. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.02g' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.02g' is set.
    2. If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.02g' set, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh and

    change
    Code (Text):
    OPENSSL_VERSION='1.0.2f'
    

    to
    Code (Text):
    OPENSSL_VERSION='1.02g'
    

    Then save centmin.sh. Then run centmin.sh

    or use sed to replace 1.0.2f to 1.02g
    Code (Text):
    sed -i "s/OPENSSL_VERSION='1.0.2f'/OPENSSL_VERSION='1.02g'/" centmin.sh

    check if OPENSSL_VERSION='1.02g'
    Code (Text):
    grep ^OPENSSL centmin.sh
    OPENSSL_VERSION='1.02g'   # Use this version of OpenSSL

    Code (Text):
    ./centmin.sh
    

    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.9.12
    4. let Nginx recompile run to completion, it should say Nginx installed successfully
    5. Check if Nginx compiled against 1.02g using Nginx -V command
     
    Last edited: Mar 2, 2016
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,131
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    8:05 AM
    Nginx 1.13.x
    MariaDB 5.5
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.9.12
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.6


    If using OpenSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.9.12
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2g  1 Mar 2016
    
     
  3. Revenge

    Revenge Active Member

    288
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    11:05 PM
    1.9.x
    10.1.x
  4. eva2000

    eva2000 Administrator Staff Member

    30,131
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    8:05 AM
    Nginx 1.13.x
    MariaDB 5.5
    @Sunka moved your issue to it's own thread CentOS 7.x - Rolling back Axivo installed OpenSSL 1.0.2a | Centmin Mod Community :)

    yeah 1.0.2g CF patch won't apply cleanly but it still works. So pull request just cleans it up
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,131
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    8:05 AM
    Nginx 1.13.x
    MariaDB 5.5
    So far updated over 100+ Centmin Mod LEMP stack servers with Nginx 1.9.12 + openssl 1.0.2g static compile + OpenSSL CentOS system updates. Including this forum and centminmod.com cluster of servers :D

    For CentOS 7
    • openssl 1.0.1e-51.el7_2.4
    Code (Text):
    rpm -qa --changelog openssl | head -n9
    * Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
    - fix CVE-2016-0702 - side channel attack on modular exponentiation
    - fix CVE-2016-0705 - double-free in DSA private key parsing
    - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
    
    * Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
    - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
    - disable SSLv2 in the generic TLS method


    For CentOS 6
    • OpenSSL 1.0.1e-42.el6_7.4
    Code (Text):
    rpm -qa --changelog openssl | head -n9
    * Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
    - fix CVE-2016-0702 - side channel attack on modular exponentiation
    - fix CVE-2016-0705 - double-free in DSA private key parsing
    - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
    
    * Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
    - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
    - disable SSLv2 in the generic TLS method
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,131
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    8:05 AM
    Nginx 1.13.x
    MariaDB 5.5
    Looks like Redhat/CentOS system openssl update didn't fix all those CVEs listed in 1st post

    Code (Text):
    rpm -qa --changelog openssl | head -n9
    * Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
    - fix CVE-2016-0702 - side channel attack on modular exponentiation
    - fix CVE-2016-0705 - double-free in DSA private key parsing
    - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
    
    * Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
    - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
    - disable SSLv2 in the generic TLS method

    i.e. CVE-2016-0799 - Red Hat Customer Portal

    so probably more openssl updates to come via CentOS YUM update ?

    CVE-2016-0799 bug report Bug 1312219 – CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
     
    • Informative Informative x 3
  7. eva2000

    eva2000 Administrator Staff Member

    30,131
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    8:05 AM
    Nginx 1.13.x
    MariaDB 5.5
    CVE-2016-0799 - Red Hat Customer Portal seems to have unmasked the issue on their page