Description of the OpenSSL upgrade method in the "Turn" Linux/centos

Related software
apache:http://httpd.apache.org/
Nginx:http://nginx.org/en/download.html
openssl:http://www.openssl.org/
Openssl-poc
Annex Description
poc.py: Exploit test POC script
Showssl.pl:OpenSSL Dynamic Library Version detection script
Installing the OpenSSL step

Due to different operating environments, the following procedures are for informational purposes only. OpenSSL belongs to the system application, is more application dependent, due to different circumstances and other factors, please first in the test environment to fully test.
Download the latest version of the Opensssl Library from the official
wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz
Unzip the downloaded OpenSSL compression pack
TAR-ZXVF openssl-1.0.1g.tar.gz
Enter the unpacked OpenSSL folder
CD openssl-1.0.1g
Execute the config file in the folder, where the installation directory of OpenSSL is/usr/local/ssl (because the system environment difference path may be inconsistent, the same as below), pay attention to add zlib-dynamic parameter, make it compile into dynamic library

The code is as follows

Copy Code

./config shared Zlib-dynamic Config completes after executing the make command make make command and then execute the make install command to install OpenSSL make Install Rename the original OpenSSL command mv/usr/bin/openssl /usr/bin/openssl.old Rename the original OpenSSL directory mv/usr/ include/openssl /usr/include/openssl.old Soft-connect the OpenSSL command of the installed OpenSSL to/usr/bin/openssl Ln-s/usr/local/ ssl/bin/openssl /usr/bin/openssl Soft-connect the OpenSSL directory of the installed OpenSSL to/usr/include/openssl Ln-s/usr/local/ssl/ include/openssl /usr/include/openssl Modify the system's own OpenSSL library files, such as/usr/local/lib64/libssl.so (depending on the machine environment) The soft link to the upgraded libssl.so Ln-s/usr/local/ssl/lib/libssl.so/usr/local/lib64/libssl.so Executes the command to see if the OpenSSL dependent library version is 1.0.1g: Strings/usr/local/lib64/libssl.so |grep OpenSSL writes the search path to the OpenSSL library file in the/etc/ld.so.conf file Echo/usr/local/ Ssl/lib ">>/etc/ld.so.conf to make the modified/etc/ld.so.conf effective

Ldconfig-v
See if the version of OpenSSL is now an upgraded version
OpenSSL version
Update webserver's OpenSSL dependency library
If webserver is loaded with OpenSSL at compile time, the webserver will need to be restarted or recompiled. Due to the webserver installation is divided into dynamic compilation and static compilation of OpenSSL two ways, so the specific mode of operation is different.
Two methods to determine whether webserver is a dynamically compiled SSL

View dependent libraries with the LDD command

LDD Viewer depends on the library, the presence of libssl.so is the dynamic compilation of SSL (for example), and vice versa (such as):

View compilation parameters
such as the input to command/usr/sbin/nginx-v, view nginx compile parameters, the parameter does not exist--WITH-OPENSSL is dynamically compiled SSL, and vice versa static:

Update the OpenSSL library
A) If webserver is dynamically compiled for SSL installation, restart the Apache,nginx and other corresponding webserver services directly.
b) If webserver is statically compiled for SSL installation, the following methods can be updated:
Apache Statically compiling SSL:
Source reinstall Apache, using SSL static compilation:
When executing Apache configure files, you need to specify that SSL is statically compiled in addition to the parameters required by the business

The code is as follows	Copy Code
./configure--enable-ssl=static--with-ssl=/usr/local/ssl (Installation path for OpenSSL)

Installing Apache

The code is as follows	Copy Code
Make && make install

Restore the original Apache configuration and restart the service
Nginx statically compile the SSL case:
SOURCE re-install Nginx, using SSL static compilation:
When executing nginx configure file, in addition to the parameters required by the business, you need to specify that SSL is statically compiled, and the compilation parameters with--with-openssl will indicate that SSL is statically compiled.

The code is as follows	Copy Code
./configure--with-http_ssl_module--with-openssl=/usr/local/ssl (Installation path for OpenSSL)

Installing Nginx

The code is as follows	Copy Code
Make && make install

Restore the original Nginx configuration, restart the service can
If you have other uses of OpenSSL, refer to Apache and Nginx solutions.
To test for the existence of a vulnerability
Use attachment poc.py to detect the presence of a vulnerability based on a script hint.
Such as:
Test https://192.168.0.1 vulnerability exists execution command is as follows

The code is as follows	Copy Code
Python poc.py-p 443,8443 192.168.0.1

Detecting Dynamic Library libssl.so versions
Detects the libssl.so version used by the current process
Execute attachment showssl.pl Check script, no information output or no vulnerability version of OpenSSL output, indicating that the upgrade was successful, such as unknown in the output, whether the version of the Business self-examination libssl.so.1.0.0 is the affected version.
(see annex for details)

The code is as follows

Copy Code

#!/usr/bin/perl-w My @listInfo = ' lsof |grep Libssl|awk ' {print $ "" $ "" $NF} ' |sort-u '; foreach my $info (@listInfo) { My ($procName, $procPid, $libPath) = Split (/s/, $info); Next if (!defined ($procName) | |!defined ($PROCPID) | |!defined ($LIBPATH)); My $version = ' strings $libPath |grep-e ' ^openssl [0-9]+. [0-9]+ "'; Chomp $version; if ($version =~/s*openssls*1.0.1[a-f]{0,2}/) { Print "$procName ($procPid): $libPath ($version). N"; } }

Libssl.so version used by the detection system
Execute command:

The code is as follows	Copy Code
strings/usr/local/lib64/libssl.so |grep OpenSSL

See if the OpenSSL dependent library version is 1.0.1g
Note: The/usr/local/lib64/libssl.so path is for reference only and is determined by the specific machine environment, refer to the upgrade steps

Description of the OpenSSL upgrade method in the "Turn" Linux/centos