Security OpenSSL OpenSSL 1.1.0e CVE-2017-3733 Security Fix Only

eva2000 · Feb 16, 2017

Centmin Mod Nginx only uses OpenSSL 1.0.2+ or LibreSSL 2.4/2.5. Centmin Mod 123.09beta01 supports using OpenSSL 1.1.0+ branch but only if you set it yourself. So this security update for OpenSSL 1.1.0e due in next 24hrs or so doesn't apply to Centmin Mod users, unless you overrode the default OPENSSL_VERSION='1.1.0d' and set LIBRESSL_SWICTH='n' in your persistent config file at /etc/centminmod/custom_config.inc.

i.e. only applies if you have previously set in /etc/centminmod/custom_config.inc prior to nginx recompiles via centmin.sh menu option 4.
Code (Text):
OPENSSL_VERSION='1.1.0d'
LIBRESSL_SWICTH='n'
Updating if you're on OpenSSL 1.1.0d is easy as updating the overridden version in /etc/centminmod/custom_config.inc and then recompiling Nginx via centmin.sh menu option.
Code (Text):
OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWICTH='n'
[openssl-announce] Forthcoming OpenSSL release

Forthcoming OpenSSL release
===========================

The OpenSSL project team would like to announce the forthcoming release of
OpenSSL version 1.1.0e

This release will be made available on 16th February 2017 between 1200-1600
UTC, and will include a fix for a security defect classified as severity "High".
This issue does not affect OpenSSL versions prior to 1.1.0.

Please see the following page for further details of severity levels:
/policies/secpolicy.html

Yours

The OpenSSL Project Team
Click to expand...

eva2000 · Feb 16, 2017

You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
Code (Text):
nginx -V
If using LibreSSL, built with line will list such
Code (Text):
nginx -V
nginx version: nginx/1.11.10
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.4.5
If using OpenSSL 1.0.2k, built with line will list such
Code (Text):
nginx -V
nginx version: nginx/1.11.10
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.0.2k  26 Jan 2017
You don't need to update to OpenSSL 1.1.0e if you are using either LibreSSL 2.4.5 or OpenSSL 1.0.2k

eva2000 · Feb 16, 2017

Countdown till Feb 16th 12:00 UTC OpenSSL 1.1.0e Release

Revenge · Feb 16, 2017

@eva2000 i don't know if im mistaken, but din't you benchmarked Openssl 1.1.0 vs LibreSSL some time ago and the conclusion was that Openssl was faster?

If that's the case, just for curiosity, why is LibreSSL the default one?

eva2000 · Feb 16, 2017

Actually 1.1.0* regressed compared to 1.0.2* IIRC

LibreSSL is default as it compiles much faster than OpenSSL and less security bugs overall. OpenSSL 1.1.0 compiles faster than OpenSSL 1.0.2 though but isn't compatible with nginx lua-nginx-module module yet

Revenge · Feb 17, 2017

eva2000 said: ↑

Actually 1.1.0* regressed compared to 1.0.2* IIRC

LibreSSL is default as it compiles much faster than OpenSSL and less security bugs overall. OpenSSL 1.1.0 compiles faster than OpenSSL 1.0.2 though but isn't compatible with nginx lua-nginx-module module yet
Click to expand...

I just found your post with your benchmarks.
The diference in terms of speed is tremendous in favor of OpenSSL.

https://community.centminmod.com/th...-1e-vs-libressl-2-4-2-vs-libressl-2-3-6.8272/

eva2000 · Feb 17, 2017

haha my own data !

Indeed... if lua nginx module supported OpenSSL 1.1.0, it would be the default version for sure. I should revisit these benchmarks on my i7 4790K server

eva2000 · Feb 17, 2017

Interesting results https://community.centminmod.com/th...-0e-vs-libressl-2-4-5-2-5-1-benchmarks.10463/ !

eva2000 · Feb 17, 2017

Some details for the security issue in versions prior to OpenSSL 1.1.0e https://www.openssl.org/news/secadv/20170216.txt

OpenSSL Security Advisory [16 Feb 2017]
========================================

Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
====================================================

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

This issue does not affect OpenSSL version 1.0.2.

This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.

Note
====

Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20170216.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
/policies/secpolicy.html
Click to expand...

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Security OpenSSL OpenSSL 1.1.0e CVE-2017-3733 Security Fix Only

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Security OpenSSL OpenSSL 1.1.0e CVE-2017-3733 Security Fix Only

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.