Learn about Centmin Mod LEMP Stack today
Become a Member

Beta Branch update openssl 1.0.2h for nginx ssl

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 4, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:14 AM
    Nginx 1.13.x
    MariaDB 5.5
  2. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:14 AM
    Nginx 1.13.x
    MariaDB 5.5
  3. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    6:14 PM
    Hi,
    I've done everything (update CMM latest current branch, compile nginx) but my here's my openssl version:
    Code:
    openssl version
    OpenSSL 1.0.1e-fips 11 Feb 2013
    
    Here the Nginx once updated,
    Code:
    nginx -V
    nginx version: nginx/1.10.0
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.3.4
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-openssl-opt=enable-tlsext --with-libatomic --with-threads --with-http_gzip_static_module --with-http_geoip_module --with-http_realip_module --add-module=../headers-more-nginx-module-0.30rc1 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.3.4
    
    When checked with above online check tool
    Code:
    All good, mysite.com seems fixed or unaffected!
    Am I still safe? FYI, I'm hosted with Vultr, they maybe protect the OpenSSL version.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    read Security - OpenSSL 1.0.h & Updating Centmin Mod Nginx SSL Support | Centmin Mod Community centmin mod openssl involves

    1. nginx openssl 1.0.2h update or libressl 2.3.4 which is now default of 123.08stable and 123.09beta01 again unless you enable nginx lua module it switches back to openssl 1.0.2h
    2. centos system openssl update which has backported 1.0.1e-* version numbers

    1st update fixes http/https based ssl for nginx
    2nd fixes all other non-http/https based ssl
     
    • Informative Informative x 1
  5. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    6:14 PM
    Hi George, what about Vuln on cdn provider?
    When I checked your cdn sub domain (sitecdn.centminmod.com) it's vulnerable.
    Can it directly affect the site's security?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    AFAIK, it would affect the CDN providers server but static files don't transmit user logins or sensitive data that can be revealed from the vulnerability I believe. @Brian ?