Want more timely Centmin Mod News Updates?
Become a Member

Security OpenSSL OpenSSL 1.1.0e CVE-2017-3733 Security Fix Only

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Feb 16, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod Nginx only uses OpenSSL 1.0.2+ or LibreSSL 2.4/2.5. Centmin Mod 123.09beta01 supports using OpenSSL 1.1.0+ branch but only if you set it yourself. So this security update for OpenSSL 1.1.0e due in next 24hrs or so doesn't apply to Centmin Mod users, unless you overrode the default OPENSSL_VERSION='1.1.0d' and set LIBRESSL_SWICTH='n' in your persistent config file at /etc/centminmod/custom_config.inc.

    i.e. only applies if you have previously set in /etc/centminmod/custom_config.inc prior to nginx recompiles via centmin.sh menu option 4.
    Code (Text):
    OPENSSL_VERSION='1.1.0d'
    LIBRESSL_SWICTH='n'
    


    Updating if you're on OpenSSL 1.1.0d is easy as updating the overridden version in /etc/centminmod/custom_config.inc and then recompiling Nginx via centmin.sh menu option.
    Code (Text):
    OPENSSL_VERSION='1.1.0e'
    LIBRESSL_SWICTH='n'
    


    [openssl-announce] Forthcoming OpenSSL release
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.11.10
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.4.5


    If using OpenSSL 1.0.2k, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.11.10
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2k  26 Jan 2017
    


    You don't need to update to OpenSSL 1.1.0e if you are using either LibreSSL 2.4.5 or OpenSSL 1.0.2k
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
  4. Revenge

    Revenge Active Member

    287
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    6:18 AM
    1.9.x
    10.1.x
    @eva2000 i don't know if im mistaken, but din't you benchmarked Openssl 1.1.0 vs LibreSSL some time ago and the conclusion was that Openssl was faster?

    If that's the case, just for curiosity, why is LibreSSL the default one?
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    Actually 1.1.0* regressed compared to 1.0.2* IIRC

    LibreSSL is default as it compiles much faster than OpenSSL and less security bugs overall. OpenSSL 1.1.0 compiles faster than OpenSSL 1.0.2 though but isn't compatible with nginx lua-nginx-module module yet
     
  6. Revenge

    Revenge Active Member

    287
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    6:18 AM
    1.9.x
    10.1.x
    I just found your post with your benchmarks.
    The diference in terms of speed is tremendous in favor of OpenSSL.

    [​IMG]

    https://community.centminmod.com/th...-1e-vs-libressl-2-4-2-vs-libressl-2-3-6.8272/
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    haha my own data !

    Indeed... if lua nginx module supported OpenSSL 1.1.0, it would be the default version for sure. I should revisit these benchmarks on my i7 4790K server :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
  9. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    Some details for the security issue in versions prior to OpenSSL 1.1.0e https://www.openssl.org/news/secadv/20170216.txt