Linux Fix OpenSSL vulnerability

Source: Internet
Author: User
Tags openssl version ssllabs

Now there are many of the company's website is HTTPS encryption, not long ago, my site has just been wosign detected a loophole, https://wosign.ssllabs.com/, this is the detection of the Web site. What is the impact of this vulnerability,

Baidu is a loophole in the key words to be good.

First, the vulnerability

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/87/F0/wKioL1fknwaAZ3VgAAA66RXacdo940.png-wh_500x0-wm_3 -wmp_4-s_1126777209.png "title=" 1.png "alt=" Wkiol1fknwaaz3vgaaa66rxacdo940.png-wh_50 "/>

Second, the official gave a way to fix the vulnerability, update the OpenSSL version, such as:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/87/F0/wKioL1fkn3nB3uenAABNQqjzEUE422.png-wh_500x0-wm_3 -wmp_4-s_2461872054.png "title=" 2.png "alt=" Wkiol1fkn3nb3uenaabnqqjzeue422.png-wh_50 "/>

Third, the overall process of repairing the vulnerability:

1. Update the OpenSSL version first, in this version of my OpenSSL is openssl.0.1t.

2. Recompile the Web server, compile OpenSSL into the Web server, specify the source directory of OpenSSL, change the nginx.conf configuration file, and restart the Web server. On this my web server is tengine.

Iv. Specific Repair process:

  1. Update the OpenSSL version, as below is the specific command, measured. You can use the

   wget https://www.openssl.org/source/openssl-1.0.1t.tar.gz  #下载openssl源码包        tar zxvf openssl-1.0.1t.tar.gz   #解压包        cd openssl-1.0.1t   #进入openssl文件夹       ./config       make && make install   #编译安装        mv /usr/bin/openssl /usr/bin/openssl.bak      mv  /usr/include/openssl /usr/include/openssl.bak      ln -s / usr/local/ssl/bin/openssl /usr/bin/openssl      ln -s /usr/local/ ssl/include/openssl /usr/include/openssl      echo  "/usr/local/ssl/lib " >> /etc/ld.so.conf      ldconfig -v       openssl version -a  #查看openssl的信息, there will be the following display       [[email protected]  temp]# openssl version -a   openssl 1.0.1t  3 may  2016   built on: Tue Sep 20 23:10:08 2016    Platform: linux-x86_64   options:  bn (64,64)  RC4 (16x,int)  des (Idx,cisc , 16,int)  idea (int)  blowfish (idx)     compiler: gcc -i. -i:  -i. /include  -dopenssl_threads -d_reentrant -ddso_dlfcn -dhave_dlfcn_h -wa,-- Noexecstack -m64 -dl_endian -o3 -wall -dopenssl_ia32_sse2 -dopenssl_bn_asm_mont  -dopenssl_bn_asm_mont5 -dopenssl_bn_asm_gf2m -dsha1_asm -dsha256_asm -dsha512_asm  -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM    OPENSSLDIR: The version update for "/USR/LOCAL/OPENSSL/SSL"        support for OpenSSL is complete. 

2. Compiling the Web server and changing the configuration file

( This step requires a backup, the backup command is: 1.cp/usr/sbin/nginx/usr/sbin/ngxin.bak 2. Cp/usr/local/nginx/usr/local/nginx.bak 3.CP /etc/nginx/nginx.conf/etc/nginx/nginx.conf.bak Note: This is my backup command, because each server environment, cause the directory will be different, you can find the directory, to backup .

   tar zxvf tengine-1.4.6.tar.gz   #解压tengine -1.4.6.tar.gz Package, this package no one can go to the official website to download    cd tengine-1.4.6   ./configure --prefix=/usr/local/nginx -- Conf-path=/etc/nginx/nginx.conf --sbin-path=   /usr/sbin/nginx --with-http_ssl_module  --with-http_realip_module    --with-http_addition_module --with-http_image_ Filter_module --with-http_sub_module    --with-http_dav_module --with-http_flv_ Module --with-http_mp4_module    --with-http_gzip_static_module --with-http_ concat_module    --with-http_random_index_module --with-http_secure_link_module     --with-http_degradation_module --with-http_sysguard_module    -- With-backtrace_module --with-http_stub_status_module    --with-http_upstream_check_ Module --with-google_perftools_module    --with-openssl=/d20141212/temp/openssl-1.0.1t   #需要这一句, This directory refers to the source installation directory for OpenSSL.                                                      #此configure命令使用我的线上环境,, Copy this to write it                                                         make && make install  #为什么可以执行make  install, because we've had a lot of modules before./configure.                            not afraid of Make install after the module disappears.    vim /etc/nginx/nginx.conf  #更改你的配置文件       ssl_ protocols tlsv1 tlsv1.1 tlsv1.2;    ssl_ciphers ecdh:aesgcm:high:! rc4:! Dh:! md5:!anull:!enull;  #将这两句话添加到nginx. conf.         Restart the Web server after saving, that is, to start Nginx.

At this point, the vulnerability of OpenSSL has been repaired. You can use the https://wosign.ssllabs.com/address for detection.

If you have any questions, you can comment

This article from "Cheng Xiao Bai" blog, declined reprint!

Linux Fix OpenSSL vulnerability

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.