Join the community today
Become a Member

Featured Nginx Updating OpenSSL 1.0.1h for Centmin Mod

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by eva2000, Jun 6, 2014.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    27,694
    6,324
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,320
    Local Time:
    11:53 PM
    Nginx 1.13.x
    MariaDB 5.5
    With recent release of OpenSSL 1.0.1h to fix security bugs http://www.openssl.org/news/secadv_20140605.txt, Redhat and thus CentOS released a back ported system OpenSSL 1.01e-XX version.

    Previous discussion threads
    How to update OpenSSL for 1.0.1h fixes?

    For Centmin Mod you need to do 2 updates:
    1. System OpenSSL update
    2. Nginx recompile with OPENSSL_VER='1.0.1h' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update

    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches.

    Fixed version is 1.0.1e-16.el6_5.14

    Code:
     yum list update openssl -q                            
    Installed Packages
    openssl.i686                                                           1.0.1e-16.el6_5.7                                                            installed
    Available Packages
    openssl.i686                                                           1.0.1e-16.el6_5.14                                                           updates  
    So to update OpenSSL to 1.0.1e-16.el6_5.14 run command

    Code:
    yum -y update openssl openssl-devel
    You'll see output like below

    Code:
    yum -y update openssl openssl-devel
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centos.expedientevirtual.com
    * epel: mirrors.kernel.org
    * extras: mirrors.usc.edu
    * rpmforge: mirror.hmc.edu
    * updates: mirrors.sonic.net
    1586 packages excluded due to repository priority protections
    Setting up Update Process
    Resolving Dependencies
    There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
    --> Running transaction check
    ---> Package openssl.i686 0:1.0.1e-16.el6_5.7 will be updated
    ---> Package openssl.i686 0:1.0.1e-16.el6_5.14 will be an update
    ---> Package openssl-devel.i686 0:1.0.1e-16.el6_5.7 will be updated
    ---> Package openssl-devel.i686 0:1.0.1e-16.el6_5.14 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================
    Package            Arch      Version                  Repository    Size
    ==========================================================================
    Updating:
    openssl            i686      1.0.1e-16.el6_5.14       updates      1.5 M
    openssl-devel      i686      1.0.1e-16.el6_5.14       updates      1.2 M
    
    Transaction Summary
    ==========================================================================
    Upgrade       2 Package(s)
    
    Total download size: 2.7 M
    Downloading Packages:
    (1/2): openssl-1.0.1e-16.el6_5.14.i686.rpm         | 1.5 MB     00:00
    (2/2): openssl-devel-1.0.1e-16.el6_5.14.i686.rpm   | 1.2 MB     00:00
    --------------------------------------------------------------------------
    Total                                      12 MB/s | 2.7 MB     00:00
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Updating   : openssl-1.0.1e-16.el6_5.14.i686                        1/4
      Updating   : openssl-devel-1.0.1e-16.el6_5.14.i686                  2/4
      Cleanup    : openssl-devel-1.0.1e-16.el6_5.7.i686                   3/4
      Cleanup    : openssl-1.0.1e-16.el6_5.7.i686                         4/4
      Verifying  : openssl-devel-1.0.1e-16.el6_5.14.i686                  1/4
      Verifying  : openssl-1.0.1e-16.el6_5.14.i686                        2/4
      Verifying  : openssl-devel-1.0.1e-16.el6_5.7.i686                   3/4
      Verifying  : openssl-1.0.1e-16.el6_5.7.i686                         4/4
    
    Updated:
      openssl.i686 0:1.0.1e-16.el6_5.14                                
      openssl-devel.i686 0:1.0.1e-16.el6_5.14                          
    
    Complete!
    Nginx recompile with OPENSSL_VER='1.0.1h'

    To do this edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.1g'
    
    to
    Code:
    OPENSSL_VER='1.0.1h'
    
    Then save centmin.sh. Then run centmin.sh
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select no (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.7.1
    4. on system OpenSSL recompile select no, because you already updated system OpenSSL via YUM from above ;)
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.1h using Nginx -V command
    should see

     
    Last edited: Jun 6, 2014
    • Like Like x 2
  2. eva2000

    eva2000 Administrator Staff Member

    27,694
    6,324
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,320
    Local Time:
    11:53 PM
    Nginx 1.13.x
    MariaDB 5.5
  3. eva2000

    eva2000 Administrator Staff Member

    27,694
    6,324
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,320
    Local Time:
    11:53 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Oct 18, 2014
Thread Status:
Not open for further replies.