Join the community today
Become a Member

Nginx Updating OpenSSL 1.0.1j for Centmin Mod

Discussion in 'Install & Upgrades or Pre-Install Questions' started by eva2000, Oct 16, 2014.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,279
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    2:16 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Recent release of OpenSSL 1.0.1j to fix various security and bugs outlined including POODLE SSLv3 attack vulnerability.

    How to update OpenSSL for 1.0.1j fixes?



    For Centmin Mod you need to do 2 updates:
    1. System OpenSSL update
    2. Nginx recompile with OPENSSL_VER='1.0.1j' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update



    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.


    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    CentOS provided updated package for
    • 1.0.1e-34.el7_0.6 for CentOS 7
    • 1.0.1e-30.el6_5.2 for CentOS 6
    on CentOS 7
    Code:
    yum clean all -q; yum list updates -q
    Updated Packages
    openssl.x86_64                                                               1:1.0.1e-34.el7_0.6                                                         updates
    openssl-devel.x86_64                                                         1:1.0.1e-34.el7_0.6                                                         updates
    
    on CentOS 6
    Code:
    yum clean all -q; yum list updates -q
    Updated Packages
    openssl.i686                                                                 1.0.1e-30.el6_5.2                                                           updates
    openssl-devel.i686                                                           1.0.1e-30.el6_5.2                                                           updates
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Check the OpenSSL change log which has fixes dated for October, 2014

    For CentOS 7
    Code:
    rpm -qa -changelog openssl | head -n5
    * Wed Oct 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.6
    - fix CVE-2014-3567 - memory leak when handling session tickets
    - fix CVE-2014-3513 - memory leak in srtp support
    - add support for fallback SCSV to partially mitigate CVE-2014-3566
      (padding attack on SSL3)
    
    For CentOS 6
    Code:
    rpm -qa -changelog openssl | head -n5
    * Wed Oct 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.2
    - fix CVE-2014-3567 - memory leak when handling session tickets
    - fix CVE-2014-3513 - memory leak in srtp support
    - add support for fallback SCSV to partially mitigate CVE-2014-3566
      (padding attack on SSL3)
    

    Nginx recompile with OPENSSL_VER='1.0.1j'



    To do this edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.1i'
    
    to
    Code:
    OPENSSL_VER='1.0.1j'
    
    Then save centmin.sh. Then run centmin.sh
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.7.6
    4. For Centmin Mod .07 stable users when prompted for OpenSSL recompile select YES. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 107 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.1j using Nginx -V command
    should see

     
    Last edited: Oct 17, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    53,279
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    2:16 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    updates for CentOS are upon us

    CentOS 6.5 32bit
    Code:
    yum clean all -q; yum list updates -q
    Updated Packages
    openssl.i686                                                                 1.0.1e-30.el6_5.2                                                           updates
    openssl-devel.i686                                                           1.0.1e-30.el6_5.2                                                           updates
    CentOS 7.0 64bit
    Code:
    yum clean all -q; yum list updates -q
    Updated Packages
    openssl.x86_64                                                               1:1.0.1e-34.el7_0.6                                                         updates
    openssl-devel.x86_64                                                         1:1.0.1e-34.el7_0.6                                                         updates
    
     
    Last edited: Oct 17, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    53,279
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    2:16 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. eva2000

    eva2000 Administrator Staff Member

    53,279
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    2:16 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Note updating OpenSSL 1.0.1j isn't enough to prevent POODLE SSL 3.0 attacks and exploits according to RedHat Security Blog Analysis as TLS_FALLBACK_SCSV support needs to be available on both server and client (web browser) ends for it to work.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,279
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    2:16 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.