A detailed explanation of OpenSSL upgrade method in Linux/centos

Source: Internet
Author: User
Tags install openssl openssl openssl library openssl version centos


Related software download address
apache:http://httpd.apache.org/
Nginx:http://nginx.org/en/download.html
openssl:http://www.openssl.org/
Openssl-poc
Appendix Description
poc.py: Exploit test PoC script
Showssl.pl:OpenSSL Dynamic Library Version detection script
Install OpenSSL steps



Due to the different operating environment, the following procedures are for informational purposes only. OpenSSL belong to the system application, is more application-dependent, due to different environmental factors, please first in the test environment to fully test.
Download the latest version of the Opensssl Library from the official
wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz
Unzip the downloaded OpenSSL compression pack
TAR-ZXVF openssl-1.0.1g.tar.gz
Enter the unpacked OpenSSL folder
CD openssl-1.0.1g
Execute the config file in the folder, where the OpenSSL installation directory defaults to/USR/LOCAL/SSL (because the system environment difference path may be inconsistent, the same below), pay attention to add zlib-dynamic parameters, make it into a dynamic library


The code is as follows
./config Shared Zlib-dynamic
Config after executing make command
make
make command executes the make install command, install OpenSSL
make install
Rename The original OpenSSL command
mv/usr/bin/openssl /usr/bin/openssl.old
Renames the original OpenSSL directory
Mv/usr/include/openssl  /usr/include/openssl.old
Soft connect the OpenSSL command for the installed OpenSSL to/usr/bin/openssl
Ln-s/usr/local/ssl/bin/openssl  /USR/BIN/OPENSSL
Connect the OpenSSL directory of the installed OpenSSL to/usr/include/openssl
Ln-s/usr/local/ssl/include/openssl  /USR/INCLUDE/OPENSSL
Modify the system's own OpenSSL library files, such as/usr/local/lib64/libssl.so (depending on the machine environment) to the upgraded libssl.so
Ln-s/ Usr/local/ssl/lib/libssl.so/usr/local/lib64/libssl.so
Execute the command to see if the OpenSSL dependent library version is 1.0.1g:
strings/usr/local/ lib64/libssl.so |grep OpenSSL
Write a search path to OpenSSL library file in/etc/ld.so.conf file
echo "/usr/local/ssl/lib" >>/etc/ ld.so.conf
Make modified/etc/ld.so.conf effective


Ldconfig-v
See if the OpenSSL version is now an upgraded version
OpenSSL version
Update the OpenSSL dependency library for webserver
If webserver loads OpenSSL at compile-time, the webserver reboot or recompile operation is required. Because webserver installation is divided into dynamic compilation and static compilation OpenSSL two ways, so the specific operating methods are also different.
Two ways to determine whether webserver is dynamically compiling SSL




Viewing dependent libraries through the LDD command





The LDD Viewer relies on the library, and the libssl.so is dynamically compiled SSL (pictured above), whereas static (as shown below):


View compilation parameters
If the input is in command/usr/sbin/nginx-v, view the compilation parameters of the Nginx, the parameter does not exist--WITH-OPENSSL is dynamically compiled SSL, otherwise static:


Update OpenSSL Library
a) If the webserver is dynamically compiled SSL installation, direct restart Apache,nginx and other corresponding webserver services can be.
b if webserver is statically compiling an SSL installation, you can update it by referencing the following methods:
Apache static compilation of SSL:
Source reinstall Apache, using SSL static compilation:
When executing Apache configure files, you need to specify SSL for static compilation In addition to the business-required parameters


The code is as follows
./configure--enable-ssl=static--with-ssl=/usr/local/ssl
(Installation path for OpenSSL)


Install Apache


The code is as follows
Make && make install


Restore the original Apache configuration and restart the service
Nginx static compilation of SSL:
Source reinstall Nginx, using SSL static compilation:
When executing nginx configure files, in addition to the business needs of the parameters, you need to specify SSL for static compilation, the compilation parameters with--with-openssl indicates that the static compilation of SSL


The code is as follows
./configure--with-http_ssl_module--with-openssl=/usr/local/ssl
(Installation path for OpenSSL)


Install Nginx


The code is as follows
Make && make install


Restore the original Nginx configuration, restart the service can
If you have other use OpenSSL, refer to Apache and Nginx solutions.
Test vulnerability exists
Use attachment poc.py to detect vulnerabilities based on script prompts.
Such as:
Test https://192.168.0.1 vulnerability exists execution command as follows


The code is as follows
Python poc.py-p 443,8443 192.168.0.1


Detect Dynamic Library libssl.so version
Detects the libssl.so version used by the current process
Perform attachment showssl.pl check script, no information output or OpenSSL output, indicating successful upgrade, such as unknown in the output, please check whether the libssl.so.1.0.0 version is the affected version.
(see annex for details)


The code is as follows
#!/usr/bin/perl-w
My @listInfo = ' lsof |grep Libssl|awk ' {print $ ' "$" "$NF} ' |sort-u ';
foreach my $info (@listInfo)
{
My ($procName, $procPid, $libPath) = Split (/s/, $info);
Next if (!defined ($procName) | |!defined ($PROCPID) | | |!defined ($LIBPATH));
My $version = ' strings $libPath |grep-e ' ^openssl [0-9]+. [0-9]+] ';
Chomp $version;
if ($version =~/s*openssls*1.0.1[a-f]{0,2}/)
{
Print "$procName ($procPid): $libPath ($version). N";
}
}


Libssl.so version used by the detection system
To execute a command:


The code is as follows
strings/usr/local/lib64/libssl.so |grep OpenSSL


To see if the OpenSSL dependent library version is 1.0.1g
Note:/usr/local/lib64/libssl.so path is for reference only, determined by specific machine environment, reference upgrade step


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.