Join the community today
Become a Member

Nginx Updating OpenSSL 1.0.1K for Centmin Mod

Discussion in 'Install & Upgrades or Pre-Install Questions' started by eva2000, Jan 12, 2015.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    28,995
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,769
    Local Time:
    7:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    Recent release of OpenSSL 1.0.1k to fix various security and bugs outlined at http://openssl.org/news/secadv_20150108.txt including:
    1. DTLS segmentation fault in dtls1_get_record (CVE-2014-3571 and Redhat)
    2. DTLS memory leak in dtls1_buffer_record (CVE-2015-0206 and Redhat)
    3. no-ssl3 configuration sets method to NULL (CVE-2014-3569 and Redhat - not vulnerable in Redhat/CentOS)
    4. ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572 and Redhat)
    5. RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204 and Redhat)
    6. DH client certificates accepted without verification [Server] (CVE-2015-0205 and Redhat)
    7. Certificate fingerprints can be modified (CVE-2014-8275 and Redhat)
    8. Bignum squaring may produce incorrect results (CVE-2014-3570 and Redhat)

    How to update OpenSSL for 1.0.1k fixes?



    For Centmin Mod you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.1k' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code:
     ldd `which nginx` | grep ssl
    will come back empty for Centmin Mod Nginx based servers.

    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.

    System OpenSSL update for CentOS



    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    Looks like Redhat and CentOS released system OpenSSL updates for these bugs on Jan 13-20th, 2015

    for Redhat/CentOS 6.x
    Code:
    openssl-1.0.1e-30.el6_6.5.i686.rpm       MD5: ecfb17f33168be074b5f88740dd5df81
    SHA-256: 56bae4fd15a7e32a17a7661dee08af40c56467b0c4155d7929b7e9acd9b7c195
    openssl-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: 6e0391e53d054a2f14685b9d8292d14e
    SHA-256: dee49ceaf0cd4fe018c0257f034fc8d5bb0a504ebc94129b434f8b5fa21de0a6
    openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm       MD5: f34aed0ec780fc16b3eee10dc9e971fc
    SHA-256: c5dcb2c75d0081e3458575d4fc25be33c470eb6c6a6798e5f3214d55c5e6ef82
    openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: f57b9544d88c911c2128c04605b1b1d4
    SHA-256: c0586962cd15600476d859bd81fa7399ef66ac71639ada7835d41677f5235d56
    openssl-devel-1.0.1e-30.el6_6.5.i686.rpm       MD5: d276e5a6a3d80380709133d79d2b6ecd
    SHA-256: 5c19d5d35082db040a6594c730324bf8b76225baa4e6aaf31a26cdd95624aa07
    openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: 774e3519c8f89315540fb5ae813283b0
    SHA-256: 3090214f84aa3feb2ae44ddebb2dfd69eecfe439ecfcd16feb015f56535a8d12
    openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: f91623ef7614a31e555f11f388965547
    SHA-256: 4f66b170e5905b468867ed2ce9b8c5446558b97ad1dce50e9b48507b7ad47338
    openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: c7a490aa010da778b222bba1a089df41
    SHA-256: 8b95d1aac9a07c26d86d4af93c1f77d7e0c767c17800997f8d7fc306abacaf80
    
    for Redhat/CentOS 7.x
    Code:
    openssl-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 0039337b3ab2bff15acc5ce0bf73679f
    SHA-256: 3e0eacb4f5aa39123c777dd3c523c46d171d9d0675d32b7f75fd95c1b80a92e8
    openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm        MD5: 73a8003a1ae7ff630aca02e7f1e4456a
    SHA-256: 34a5880163532c7fe7166e19c4c6123d0f209c0b87118d89cf9a6f9148398fb5
    openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 0cd4d3406b03de401ddfea9b6ac3366a
    SHA-256: 40fa8f9efc46b7e3bd37f3abae2d09f0d7c17c877638cc0a280d83c468ef0956
    openssl-devel-1.0.1e-34.el7_0.7.i686.rpm        MD5: 5c4354b306cec9e0a4f043cb42e214ea
    SHA-256: e81989c0f56f04c3ace6aa82d2123f3db725ba57e834fc481cb34c8dae009b61
    openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 8c0427697ad0af02ccbcfbc6c47b71dd
    SHA-256: 00fac9282cff230ce7a2d785df90d4f46de5a6f465a2fd1af57c545c956267bb
    openssl-libs-1.0.1e-34.el7_0.7.i686.rpm        MD5: fb7156ed9b3607b0a2c365f9709bb27e
    SHA-256: 9a7be39ff35950127bba8399c8f6cde05c3eaf3e598f1104143fecf388ad418a
    openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: c4a76cab9ccf77c5865434012e9d4355
    SHA-256: 14a375789373add530cd4ef7086bb3ff7b28166d79ef22c9fa9f58fc44b35587
    openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 96e8ab9c13c77ae76634500c93e5f139
    SHA-256: 45b3d50e97e52654e13dd1f9e89b825ad7344d7ca9b296e2f4abb865ddb079a6
    openssl-static-1.0.1e-34.el7_0.7.i686.rpm        MD5: 6099d2b4f0641d5652ec989c5c097bae
    SHA-256: 483d9582537f4158bbf3bced9923c041a4b2c7487998cd983144276c2f95ec85
    openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 80dfd9b5bbbe00278e7f4137dfdbb1c0
    SHA-256: 34e81c305c4e3f52ad185259297e09e8c8fff205c1cbeb6f666fe1358ad81e68
    On my CentOS 6.6 system
    Code:
    yum list openssl -q
    Installed Packages
    openssl.i686                                                             1.0.1e-30.el6_6.5                                                              @updates
    change log
    Code:
    rpm -ql --changelog openssl | head -n 10
    * Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.5
    - fix CVE-2014-3570 - incorrect computation in BN_sqr()
    - fix CVE-2014-3571 - possible crash in dtls1_get_record()
    - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
    - fix CVE-2014-8275 - various certificate fingerprint issues
    - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
      ciphersuites and on server
    - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
    - fix CVE-2015-0206 - possible memory leak when buffering DTLS records
    On my CentOS 7.0 system
    Code:
    yum list openssl -q
    Installed Packages
    openssl.x86_64                                                           1:1.0.1e-34.el7_0.6                                                            @updates
    Available Packages
    openssl.x86_64                                                           1:1.0.1e-34.el7_0.7                                                            updates
    
    change log
    Code:
    rpm -ql --changelog openssl | head -n 10
    * Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.7
    - fix CVE-2014-3570 - incorrect computation in BN_sqr()
    - fix CVE-2014-3571 - possible crash in dtls1_get_record()
    - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
    - fix CVE-2014-8275 - various certificate fingerprint issues
    - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
      ciphersuites and on server
    - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
    - fix CVE-2015-0206 - possible memory leak when buffering DTLS records
    
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.1k' (or 1.0.1l)



    Note: for Nginx 1.7.9 updates you need to update your ngx_cache_purge version too - otherwise Nginx 1.7.9 installs will fail to compile properly. Details here.


    To do this edit your centmin.sh file and

    change
    Code:
    OPENSSL_VER='1.0.1j'
    
    to
    Code:
    OPENSSL_VER='1.0.1k'
    
    or newer 1.0.1l
    Code:
    OPENSSL_VER='1.0.1l'
    
    or newer 1.0.2
    Code:
    OPENSSL_VER='1.0.2'
    
    Then save centmin.sh. Then run centmin.sh
    Code:
    ./centmin.sh
    
    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.7.9
    4. For Centmin Mod .07 stable users when prompted for OpenSSL recompile select YES. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 107 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    5. let Nginx recompile run to completion, it should say Nginx installed successfully
    6. Check if Nginx compiled against 1.0.1k using Nginx -V command
    should see

     
    Last edited: Jan 25, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    28,995
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,769
    Local Time:
    7:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    Already updated my Centmin Mod .08 beta servers with special OpenSSL 1.0.2 beta patched for chacha20_poly1305 ciphers + cloudflare RC4 patch + above security fixes related to OpenSSL 1.0.1k. For example my sslspdy.com server running Centmin Mod .08 beta.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                  
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2, 5.5, 10 Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Re-install ImageMagick PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Exit
    --------------------------------------------------------
    Enter option [ 1 - 22 ] 4
    --------------------------------------------------------
    Also updated Centmin Mod .08 beta build with OpenSSL 1.0.1k
     
  3. eva2000

    eva2000 Administrator Staff Member

    28,995
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,769
    Local Time:
    7:51 PM
    Nginx 1.13.x
    MariaDB 5.5
  4. eva2000

    eva2000 Administrator Staff Member

    28,995
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,769
    Local Time:
    7:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    Looks like Redhat and CentOS released system OpenSSL updates for these bugs on Jan 13-20th, 2015

    for Redhat/CentOS 6.x
    Code:
    openssl-1.0.1e-30.el6_6.5.i686.rpm       MD5: ecfb17f33168be074b5f88740dd5df81
    SHA-256: 56bae4fd15a7e32a17a7661dee08af40c56467b0c4155d7929b7e9acd9b7c195
    openssl-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: 6e0391e53d054a2f14685b9d8292d14e
    SHA-256: dee49ceaf0cd4fe018c0257f034fc8d5bb0a504ebc94129b434f8b5fa21de0a6
    openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm       MD5: f34aed0ec780fc16b3eee10dc9e971fc
    SHA-256: c5dcb2c75d0081e3458575d4fc25be33c470eb6c6a6798e5f3214d55c5e6ef82
    openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: f57b9544d88c911c2128c04605b1b1d4
    SHA-256: c0586962cd15600476d859bd81fa7399ef66ac71639ada7835d41677f5235d56
    openssl-devel-1.0.1e-30.el6_6.5.i686.rpm       MD5: d276e5a6a3d80380709133d79d2b6ecd
    SHA-256: 5c19d5d35082db040a6594c730324bf8b76225baa4e6aaf31a26cdd95624aa07
    openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: 774e3519c8f89315540fb5ae813283b0
    SHA-256: 3090214f84aa3feb2ae44ddebb2dfd69eecfe439ecfcd16feb015f56535a8d12
    openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: f91623ef7614a31e555f11f388965547
    SHA-256: 4f66b170e5905b468867ed2ce9b8c5446558b97ad1dce50e9b48507b7ad47338
    openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: c7a490aa010da778b222bba1a089df41
    SHA-256: 8b95d1aac9a07c26d86d4af93c1f77d7e0c767c17800997f8d7fc306abacaf80
    
    for Redhat/CentOS 7.x
    Code:
    openssl-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 0039337b3ab2bff15acc5ce0bf73679f
    SHA-256: 3e0eacb4f5aa39123c777dd3c523c46d171d9d0675d32b7f75fd95c1b80a92e8
    openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm        MD5: 73a8003a1ae7ff630aca02e7f1e4456a
    SHA-256: 34a5880163532c7fe7166e19c4c6123d0f209c0b87118d89cf9a6f9148398fb5
    openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 0cd4d3406b03de401ddfea9b6ac3366a
    SHA-256: 40fa8f9efc46b7e3bd37f3abae2d09f0d7c17c877638cc0a280d83c468ef0956
    openssl-devel-1.0.1e-34.el7_0.7.i686.rpm        MD5: 5c4354b306cec9e0a4f043cb42e214ea
    SHA-256: e81989c0f56f04c3ace6aa82d2123f3db725ba57e834fc481cb34c8dae009b61
    openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 8c0427697ad0af02ccbcfbc6c47b71dd
    SHA-256: 00fac9282cff230ce7a2d785df90d4f46de5a6f465a2fd1af57c545c956267bb
    openssl-libs-1.0.1e-34.el7_0.7.i686.rpm        MD5: fb7156ed9b3607b0a2c365f9709bb27e
    SHA-256: 9a7be39ff35950127bba8399c8f6cde05c3eaf3e598f1104143fecf388ad418a
    openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: c4a76cab9ccf77c5865434012e9d4355
    SHA-256: 14a375789373add530cd4ef7086bb3ff7b28166d79ef22c9fa9f58fc44b35587
    openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 96e8ab9c13c77ae76634500c93e5f139
    SHA-256: 45b3d50e97e52654e13dd1f9e89b825ad7344d7ca9b296e2f4abb865ddb079a6
    openssl-static-1.0.1e-34.el7_0.7.i686.rpm        MD5: 6099d2b4f0641d5652ec989c5c097bae
    SHA-256: 483d9582537f4158bbf3bced9923c041a4b2c7487998cd983144276c2f95ec85
    openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 80dfd9b5bbbe00278e7f4137dfdbb1c0
    SHA-256: 34e81c305c4e3f52ad185259297e09e8c8fff205c1cbeb6f666fe1358ad81e68
    On my CentOS 6.6 system
    Code:
    yum list openssl -q
    Installed Packages
    openssl.i686                                                             1.0.1e-30.el6_6.5                                                              @updates
    change log
    Code:
    rpm -ql --changelog openssl | head -n 10
    * Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.5
    - fix CVE-2014-3570 - incorrect computation in BN_sqr()
    - fix CVE-2014-3571 - possible crash in dtls1_get_record()
    - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
    - fix CVE-2014-8275 - various certificate fingerprint issues
    - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
      ciphersuites and on server
    - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
    - fix CVE-2015-0206 - possible memory leak when buffering DTLS records
    On my CentOS 7.0 system
    Code:
    yum list openssl -q
    Installed Packages
    openssl.x86_64                                                           1:1.0.1e-34.el7_0.6                                                            @updates
    Available Packages
    openssl.x86_64                                                           1:1.0.1e-34.el7_0.7                                                            updates 
    
    change log
    Code:
    rpm -ql --changelog openssl | head -n 10
    * Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.7
    - fix CVE-2014-3570 - incorrect computation in BN_sqr()
    - fix CVE-2014-3571 - possible crash in dtls1_get_record()
    - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
    - fix CVE-2014-8275 - various certificate fingerprint issues
    - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
      ciphersuites and on server
    - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
    - fix CVE-2015-0206 - possible memory leak when buffering DTLS records
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,995
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,769
    Local Time:
    7:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Jan 24, 2015
Thread Status:
Not open for further replies.