Description of the OpenSSL upgrade method in the "Turn" Linux/centos

Source: Internet
Author: User
Tags install openssl openssl openssl library openssl version

Related software
apache:http://httpd.apache.org/
Nginx:http://nginx.org/en/download.html
openssl:http://www.openssl.org/
Openssl-poc
Annex Description
poc.py: Exploit test POC script
Showssl.pl:OpenSSL Dynamic Library Version detection script
Installing the OpenSSL step

Due to different operating environments, the following procedures are for informational purposes only. OpenSSL belongs to the system application, is more application dependent, due to different circumstances and other factors, please first in the test environment to fully test.
Download the latest version of the Opensssl Library from the official
wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz
Unzip the downloaded OpenSSL compression pack
TAR-ZXVF openssl-1.0.1g.tar.gz
Enter the unpacked OpenSSL folder
CD openssl-1.0.1g
Execute the config file in the folder, where the installation directory of OpenSSL is/usr/local/ssl (because the system environment difference path may be inconsistent, the same as below), pay attention to add zlib-dynamic parameter, make it compile into dynamic library

The code is as follows Copy Code
./config shared Zlib-dynamic
Config completes after executing the make command
make
make command and then execute the make install command to install OpenSSL
make Install
Rename the original OpenSSL command
mv/usr/bin/openssl /usr/bin/openssl.old
Rename the original OpenSSL directory
mv/usr/ include/openssl /usr/include/openssl.old
Soft-connect the OpenSSL command of the installed OpenSSL to/usr/bin/openssl
Ln-s/usr/local/ ssl/bin/openssl /usr/bin/openssl
Soft-connect the OpenSSL directory of the installed OpenSSL to/usr/include/openssl
Ln-s/usr/local/ssl/ include/openssl /usr/include/openssl
Modify the system's own OpenSSL library files, such as/usr/local/lib64/libssl.so (depending on the machine environment) The soft link to the upgraded libssl.so
Ln-s/usr/local/ssl/lib/libssl.so/usr/local/lib64/libssl.so
Executes the command to see if the OpenSSL dependent library version is 1.0.1g:
Strings/usr/local/lib64/libssl.so |grep OpenSSL
writes the search path to the OpenSSL library file in the/etc/ld.so.conf file
Echo/usr/local/ Ssl/lib ">>/etc/ld.so.conf
to make the modified/etc/ld.so.conf effective

Ldconfig-v
See if the version of OpenSSL is now an upgraded version
OpenSSL version
Update webserver's OpenSSL dependency library
If webserver is loaded with OpenSSL at compile time, the webserver will need to be restarted or recompiled. Due to the webserver installation is divided into dynamic compilation and static compilation of OpenSSL two ways, so the specific mode of operation is different.
Two methods to determine whether webserver is a dynamically compiled SSL


View dependent libraries with the LDD command


LDD Viewer depends on the library, the presence of libssl.so is the dynamic compilation of SSL (for example), and vice versa (such as):

View compilation parameters
such as the input to command/usr/sbin/nginx-v, view nginx compile parameters, the parameter does not exist--WITH-OPENSSL is dynamically compiled SSL, and vice versa static:

Update the OpenSSL library
A) If webserver is dynamically compiled for SSL installation, restart the Apache,nginx and other corresponding webserver services directly.
b) If webserver is statically compiled for SSL installation, the following methods can be updated:
Apache Statically compiling SSL:
Source reinstall Apache, using SSL static compilation:
When executing Apache configure files, you need to specify that SSL is statically compiled in addition to the parameters required by the business

The code is as follows Copy Code
./configure--enable-ssl=static--with-ssl=/usr/local/ssl
(Installation path for OpenSSL)

Installing Apache

The code is as follows Copy Code
Make && make install

Restore the original Apache configuration and restart the service
Nginx statically compile the SSL case:
SOURCE re-install Nginx, using SSL static compilation:
When executing nginx configure file, in addition to the parameters required by the business, you need to specify that SSL is statically compiled, and the compilation parameters with--with-openssl will indicate that SSL is statically compiled.

The code is as follows Copy Code
./configure--with-http_ssl_module--with-openssl=/usr/local/ssl
(Installation path for OpenSSL)

Installing Nginx

The code is as follows Copy Code
Make && make install

Restore the original Nginx configuration, restart the service can
If you have other uses of OpenSSL, refer to Apache and Nginx solutions.
To test for the existence of a vulnerability
Use attachment poc.py to detect the presence of a vulnerability based on a script hint.
Such as:
Test https://192.168.0.1 vulnerability exists execution command is as follows

The code is as follows Copy Code
Python poc.py-p 443,8443 192.168.0.1

Detecting Dynamic Library libssl.so versions
Detects the libssl.so version used by the current process
Execute attachment showssl.pl Check script, no information output or no vulnerability version of OpenSSL output, indicating that the upgrade was successful, such as unknown in the output, whether the version of the Business self-examination libssl.so.1.0.0 is the affected version.
(see annex for details)

The code is as follows Copy Code
#!/usr/bin/perl-w
My @listInfo = ' lsof |grep Libssl|awk ' {print $ "" $ "" $NF} ' |sort-u ';
foreach my $info (@listInfo)
{
My ($procName, $procPid, $libPath) = Split (/s/, $info);
Next if (!defined ($procName) | |!defined ($PROCPID) | |!defined ($LIBPATH));
My $version = ' strings $libPath |grep-e ' ^openssl [0-9]+. [0-9]+ "';
Chomp $version;
if ($version =~/s*openssls*1.0.1[a-f]{0,2}/)
{
Print "$procName ($procPid): $libPath ($version). N";
}
}

Libssl.so version used by the detection system
Execute command:

The code is as follows Copy Code
strings/usr/local/lib64/libssl.so |grep OpenSSL

See if the OpenSSL dependent library version is 1.0.1g
Note: The/usr/local/lib64/libssl.so path is for reference only and is determined by the specific machine environment, refer to the upgrade steps

Description of the OpenSSL upgrade method in the "Turn" Linux/centos

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.