Get the most out of your Centmin Mod LEMP stack
Become a Member

Featured Nginx Updating OpenSSL 1.0.1i for Centmin Mod

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by eva2000, Aug 7, 2014.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,348
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Recent release of OpenSSL 1.0.1i to fix security bugs http://www.openssl.org/news/secadv_20140806.txt & OpenSSL Update, No Major Security Threats - DigiCert Blog Not all of those seem to apply to Red Hat's OpenSSL but not 100% sure on the details for all.

    How to update OpenSSL for 1.0.1i fixes?



    For Centmin Mod you need to do 2 updates:
    1. System OpenSSL update
    2. Nginx recompile with OPENSSL_VER='1.0.1i' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update



    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Or you can try Axivo YUM repo's OpenSSL 1.0.1i version which is installed on Centmin Mod .07 and higher versions for 64bit only systems. There's no guarantees with Axivo YUM repo and Centmin Mod if any issues arise due to conflicts so best to test it out on a test server first. Instructions for Axivo OpenSSL 1.0.1i here. So you can either wait for Redhat/CentOS released version or try Axivo :)


    Looks like CentOS finally provided an updated package for
    • OpenSSL 1.0.1e-34.el7_0.4 for CentOS 7
    • OpenSSL 1.0.1e-16.el6_5.15 for CentOS 6
    on CentOS 7
    Code:
    yum list updates | grep openssl
    openssl.x86_64                            1:1.0.1e-34.el7_0.4            updates
    openssl-devel.x86_64                      1:1.0.1e-34.el7_0.4            updates
    on CentOS 6
    Code:
    yum list updates | grep openssl
    openssl.x86_64                             1.0.1e-16.el6_5.15            updates
    openssl-devel.x86_64                       1.0.1e-16.el6_5.15            updates
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Check the OpenSSL change log which has fixes dated Aug 08, 2014

    For CentOS 7
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.4
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    
    For CentOS 6
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.15
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    

    Nginx recompile with OPENSSL_VER='1.0.1i'



    To do this edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.1h'
    
    to
    Code:
    OPENSSL_VER='1.0.1i'
    
    Then save centmin.sh. Then run centmin.sh
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.7.4
    4. on system OpenSSL recompile select NO, because you already updated or will update system OpenSSL via YUM from above ;)
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.1i using Nginx -V command
    should see

     
    Last edited: Aug 18, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    54,348
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. eva2000

    eva2000 Administrator Staff Member

    54,348
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like CentOS finally provided an updated package for
    • OpenSSL 1.0.1e-34.el7_0.4 for CentOS 7
    • OpenSSL 1.0.1e-16.el6_5.15 for CentOS 6
    on CentOS 7
    Code:
    yum list updates | grep openssl
    openssl.x86_64                            1:1.0.1e-34.el7_0.4            updates
    openssl-devel.x86_64                      1:1.0.1e-34.el7_0.4            updates
    on CentOS 6
    Code:
    yum list updates | grep openssl
    openssl.x86_64                             1.0.1e-16.el6_5.15            updates
    openssl-devel.x86_64                       1.0.1e-16.el6_5.15            updates
    To update
    Code:
    yum -y update
    Check the OpenSSL change log which has fixes dated Aug 08, 2014

    For CentOS 7
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.4
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    
    For CentOS 6
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.15
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,348
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.