因为OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏洞,可允许攻击者读取服务器的内存信息。该漏洞影响三分之二的活跃网站。所以需要对openssl进行升级。
Nginx:http://.org
OpenSSL:
一、先在测试环境进行充分测试,然后再在生产环境执行
# openssl version #当前版本显然过旧,必须下载最新版本到1.0.2及以上
OpenSSL 1.0.1e-fips 11 Feb 2013
# /usr/local/nginx/sbin/nginx -V #查看当前nginx版本
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --http-log-path=/home/logs/access.log --error-log-path=/home/logs/error.log --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-mail --with-mail_ssl_module
二、从官方下载最新版本的opensssl库
1、下载并编译安装
# wget
# tar -zxvf openssl-1.1.0f.tar.gz
# cd openssl-1.1.0f/
# ./config shared zlib-dynamic --prefix=/usr/local/ssl #添加zlib-dynamic参数,使其编译成动态库
# make
# make install
2、移除原openssl
重命名原来的openssl命令
# mv /usr/bin/openssl{,.old}
重命名原来的openssl目录
#
3、创建软链接
将安装好的openssl 的openssl命令软连到/usr/bin/openssl
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
将安装好的openssl 的openssl目录软连到/usr/include/openssl
# ln -s /usr/local/ssl/include/openssl /usr/include/openssl
查看openssl依赖库版本是否为1.1.0f
# strings /usr/local/lib64/libssl.so |grep OpenSSL
OpenSSL 1.1.0f 25 May 2017
4、在/etc/ld.so.conf文件中写入openssl库文件的搜索路径
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
使修改后的/etc/ld.so.conf生效
# ldconfig -v
# openssl version
OpenSSL 1.1.0f 25 May 2017
5、查看相关依赖库
# ll /usr/lib64/libssl*
-rwxr-xr-x. 1 root root 272536 Nov 20 2015 /usr/lib64/libssl3.so
-rw-r--r--. 1 root root 764572 Feb 20 22:41 /usr/lib64/libssl.a
lrwxrwxrwx. 1 root root 16 Jul 25 19:25 /usr/lib64/libssl.so -> libssl.so.1.0.1e
-rwxr-xr-x. 1 root root 340832 Mar 9 2016 /usr/lib64/libssl.so.0.9.8e
lrwxrwxrwx. 1 root root 16 Jul 25 19:24 /usr/lib64/libssl.so.10 -> libssl.so.1.0.1e
-rwxr-xr-x. 1 root root 454008 Feb 20 22:41 /usr/lib64/libssl.so.1.0.1e
lrwxrwxrwx. 1 root root 16 Jul 25 19:25 /usr/lib64/libssl.so.6 -> libssl.so.0.9.8e
查看依赖库
# ldd /usr/local/nginx/sbin/nginx
linux-vdso.so.1 => (0x00007ffd29d76000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f4a14612000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4a143f6000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f4a141be000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f4a13f5d000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f4a13cef000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f4a13904000)
libz.so.1 => /lib64/libz.so.1 (0x00007f4a136ee000)
libc.so.6 => /lib64/libc.so.6 (0x00007f4a1332d000)
/lib64/ld-linux-x86-64.so.2 (0x00007f4a1481f000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f4a13129000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f4a12edb000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f4a12bf4000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f4a129ef000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f4a127bd000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f4a125ae000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f4a123a9000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f4a1218f000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f4a11f68000)
查看nginx的编译参数,参数中不存在--with-openssl则为动态编译ssl的,反之为静态
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --http-log-path=/home/logs/access.log --error-log-path=/home/logs/error.log --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-mail --with-mail_ssl_module
5.1 如果是动态编译ssl的,则直接重启nginx即可
# killall nginx
# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
# ps -ef | grep nginx
===============================================================
5.2 如果为静态则重新编译,现在的这个版本是采用下面的方式重新安装的
# cd /data/tools/nginx-1.10.3
修改去掉.openssl/
# vim auto/lib/openssl/conf
# CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
# CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
# CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
# CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
# CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
# ./configure --user=www --group=www --prefix=/usr/local/nginx --http-log-path=/home/logs/access.log --error-log-path=/home/logs/error.log --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/local/ssl --with-http_flv_module --with-http_gzip_static_module --with-mail --with-mail_ssl_module
# make && make install
# # /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --http-log-path=/home/logs/access.log --error-log-path=/home/logs/error.log --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/local/ssl --with-http_flv_module --with-http_gzip_static_module --with-mail --with-mail_ssl_module