Security OpenSSL 1.0.2g & Updating Centmin Mod Nginx SSL Support

OpenSSL 1.02g Release Information

OpenSSL folks are releasing OpenSSL 1.0.2g and 1.0.1s security updates on March 1, 2016 http://openssl.org/news/secadv/20160301.txt:

• Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
• Double-free in DSA code (CVE-2016-0705)
• Memory leak in SRP database lookups (CVE-2016-0798)
• BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
• Fix memory issues in BIO_*printf functions (CVE-2016-0799)
• Side channel attack on modular exponentiation (CVE-2016-0702)
• Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
• Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

Notes:

• Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.02g, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
• After Feb 25th, 2016, Centmin Mod Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL.

Centmin Mod LEMP Upgrade OpenSSL 1.02g

---

For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.02g is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

For Centmin Mod 1.2.3-eva2000.08 stable (123.08stable) and higher (including betas) you need to do 2 updates:

1. System OpenSSL update for CentOS
2. Nginx recompile with OPENSSL_VER='1.02g' specified in centmin.sh

Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

Code (Text):

 ldd `which nginx` | grep ssl

will come back empty for Centmin Mod Nginx based servers.

System OpenSSL update for CentOS

Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

CentOS/Redhat system OpenSSL updates

Seems CentOS YUM OpenSSL updates are out too

For CentOS 7

• openssl 1.0.1e-51.el7_2.4

Code (Text):

rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

For CentOS 6

• OpenSSL 1.0.1e-42.el6_7.4

Code (Text):

rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

For auto daily updates check out yum-cron for auto updates.

Code (Text):

yum list updates -q | grep openssl

Code (Text):

rpm -qa --changelog openssl | head -n11

To update

Code (Text):

yum -y update

Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

Nginx recompile with OPENSSL_VER='1.02g'

• Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.02g, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
• After Feb 25th, 2016, Centmin Mod Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL.

To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:

1. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.02g' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.02g' is set.
2. If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.02g' set, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh and

change

Code (Text):

OPENSSL_VERSION='1.0.2f'

to

Code (Text):

OPENSSL_VERSION='1.02g'

Then save centmin.sh. Then run centmin.sh

or use sed to replace 1.0.2f to 1.02g

Code (Text):

sed -i "s/OPENSSL_VERSION='1.0.2f'/OPENSSL_VERSION='1.02g'/" centmin.sh

check if OPENSSL_VERSION='1.02g'

Code (Text):

grep ^OPENSSL centmin.sh
OPENSSL_VERSION='1.02g'   # Use this version of OpenSSL

Code (Text):

./centmin.sh

1. select menu option #4 to upgrade/downgrade Nginx
2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here )
3. then when prompted specify Nginx version = 1.9.12
4. let Nginx recompile run to completion, it should say Nginx installed successfully
5. Check if Nginx compiled against 1.02g using Nginx -V command

 

You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command

Code (Text):

nginx -V

If using LibreSSL, built with line will list such

Code (Text):

nginx -V
nginx version: nginx/1.9.12
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.2.6

If using OpenSSL, built with line will list such

Code (Text):

nginx -V
nginx version: nginx/1.9.12
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.0.2g  1 Mar 2016

 

@Sunka moved your issue to it's own thread CentOS 7.x - Rolling back Axivo installed OpenSSL 1.0.2a | Centmin Mod Community

yeah 1.0.2g CF patch won't apply cleanly but it still works. So pull request just cleans it up

 

So far updated over 100+ Centmin Mod LEMP stack servers with Nginx 1.9.12 + openssl 1.0.2g static compile + OpenSSL CentOS system updates. Including this forum and centminmod.com cluster of servers

For CentOS 7

• openssl 1.0.1e-51.el7_2.4

Code (Text):

rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

For CentOS 6

• OpenSSL 1.0.1e-42.el6_7.4

Code (Text):

rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

 

Looks like Redhat/CentOS system openssl update didn't fix all those CVEs listed in 1st post

Code (Text):

rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

i.e. CVE-2016-0799 - Red Hat Customer Portal

so probably more openssl updates to come via CentOS YUM update ?

CVE-2016-0799 bug report Bug 1312219 – CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions

 

CVE-2016-0799 - Red Hat Customer Portal seems to have unmasked the issue on their page