Learn about Centmin Mod LEMP Stack today
Register Now

Beta Branch update openssl 1.0.2h for nginx ssl

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 4, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
  2. eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
  3. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    11:30 AM
    Hi,
    I've done everything (update CMM latest current branch, compile nginx) but my here's my openssl version:
    Code:
    openssl version
    OpenSSL 1.0.1e-fips 11 Feb 2013
    
    Here the Nginx once updated,
    Code:
    nginx -V
    nginx version: nginx/1.10.0
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.3.4
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-openssl-opt=enable-tlsext --with-libatomic --with-threads --with-http_gzip_static_module --with-http_geoip_module --with-http_realip_module --add-module=../headers-more-nginx-module-0.30rc1 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.3.4
    
    When checked with above online check tool
    Code:
    All good, mysite.com seems fixed or unaffected!
    Am I still safe? FYI, I'm hosted with Vultr, they maybe protect the OpenSSL version.
     
  4. eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    read Security - OpenSSL 1.0.h & Updating Centmin Mod Nginx SSL Support | Centmin Mod Community centmin mod openssl involves

    1. nginx openssl 1.0.2h update or libressl 2.3.4 which is now default of 123.08stable and 123.09beta01 again unless you enable nginx lua module it switches back to openssl 1.0.2h
    2. centos system openssl update which has backported 1.0.1e-* version numbers

    1st update fixes http/https based ssl for nginx
    2nd fixes all other non-http/https based ssl
     
  5. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    11:30 AM
    Hi George, what about Vuln on cdn provider?
    When I checked your cdn sub domain (sitecdn.centminmod.com) it's vulnerable.
    Can it directly affect the site's security?
     
  6. eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    AFAIK, it would affect the CDN providers server but static files don't transmit user logins or sensitive data that can be revealed from the vulnerability I believe. @Brian ?