Linux Fix OpenSSL vulnerability

Now there are many of the company's website is HTTPS encryption, not long ago, my site has just been wosign detected a loophole, https://wosign.ssllabs.com/, this is the detection of the Web site. What is the impact of this vulnerability,

Baidu is a loophole in the key words to be good.

First, the vulnerability

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/87/F0/wKioL1fknwaAZ3VgAAA66RXacdo940.png-wh_500x0-wm_3 -wmp_4-s_1126777209.png "title=" 1.png "alt=" Wkiol1fknwaaz3vgaaa66rxacdo940.png-wh_50 "/>

Second, the official gave a way to fix the vulnerability, update the OpenSSL version, such as:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/87/F0/wKioL1fkn3nB3uenAABNQqjzEUE422.png-wh_500x0-wm_3 -wmp_4-s_2461872054.png "title=" 2.png "alt=" Wkiol1fkn3nb3uenaabnqqjzeue422.png-wh_50 "/>

Third, the overall process of repairing the vulnerability:

1. Update the OpenSSL version first, in this version of my OpenSSL is openssl.0.1t.

2. Recompile the Web server, compile OpenSSL into the Web server, specify the source directory of OpenSSL, change the nginx.conf configuration file, and restart the Web server. On this my web server is tengine.

Iv. Specific Repair process:

  1. Update the OpenSSL version, as below is the specific command, measured. You can use the

   wget https://www.openssl.org/source/openssl-1.0.1t.tar.gz  #下载openssl源码包        tar zxvf openssl-1.0.1t.tar.gz   #解压包        cd openssl-1.0.1t   #进入openssl文件夹       ./config       make && make install   #编译安装        mv /usr/bin/openssl /usr/bin/openssl.bak      mv  /usr/include/openssl /usr/include/openssl.bak      ln -s / usr/local/ssl/bin/openssl /usr/bin/openssl      ln -s /usr/local/ ssl/include/openssl /usr/include/openssl      echo  "/usr/local/ssl/lib " >> /etc/ld.so.conf      ldconfig -v       openssl version -a  #查看openssl的信息, there will be the following display       [[email protected]  temp]# openssl version -a   openssl 1.0.1t  3 may  2016   built on: Tue Sep 20 23:10:08 2016    Platform: linux-x86_64   options:  bn (64,64)  RC4 (16x,int)  des (Idx,cisc , 16,int)  idea (int)  blowfish (idx)     compiler: gcc -i. -i:  -i. /include  -dopenssl_threads -d_reentrant -ddso_dlfcn -dhave_dlfcn_h -wa,-- Noexecstack -m64 -dl_endian -o3 -wall -dopenssl_ia32_sse2 -dopenssl_bn_asm_mont  -dopenssl_bn_asm_mont5 -dopenssl_bn_asm_gf2m -dsha1_asm -dsha256_asm -dsha512_asm  -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM    OPENSSLDIR: The version update for "/USR/LOCAL/OPENSSL/SSL"        support for OpenSSL is complete. 

2. Compiling the Web server and changing the configuration file

( This step requires a backup, the backup command is: 1.cp/usr/sbin/nginx/usr/sbin/ngxin.bak 2. Cp/usr/local/nginx/usr/local/nginx.bak 3.CP /etc/nginx/nginx.conf/etc/nginx/nginx.conf.bak Note: This is my backup command, because each server environment, cause the directory will be different, you can find the directory, to backup .

   tar zxvf tengine-1.4.6.tar.gz   #解压tengine -1.4.6.tar.gz Package, this package no one can go to the official website to download    cd tengine-1.4.6   ./configure --prefix=/usr/local/nginx -- Conf-path=/etc/nginx/nginx.conf --sbin-path=   /usr/sbin/nginx --with-http_ssl_module  --with-http_realip_module    --with-http_addition_module --with-http_image_ Filter_module --with-http_sub_module    --with-http_dav_module --with-http_flv_ Module --with-http_mp4_module    --with-http_gzip_static_module --with-http_ concat_module    --with-http_random_index_module --with-http_secure_link_module     --with-http_degradation_module --with-http_sysguard_module    -- With-backtrace_module --with-http_stub_status_module    --with-http_upstream_check_ Module --with-google_perftools_module    --with-openssl=/d20141212/temp/openssl-1.0.1t   #需要这一句, This directory refers to the source installation directory for OpenSSL.                                                      #此configure命令使用我的线上环境,, Copy this to write it                                                         make && make install  #为什么可以执行make  install, because we've had a lot of modules before./configure.                            not afraid of Make install after the module disappears.    vim /etc/nginx/nginx.conf  #更改你的配置文件       ssl_ protocols tlsv1 tlsv1.1 tlsv1.2;    ssl_ciphers ecdh:aesgcm:high:! rc4:! Dh:! md5:!anull:!enull;  #将这两句话添加到nginx. conf.         Restart the Web server after saving, that is, to start Nginx.

At this point, the vulnerability of OpenSSL has been repaired. You can use the https://wosign.ssllabs.com/address for detection.

If you have any questions, you can comment

This article from "Cheng Xiao Bai" blog, declined reprint!

Linux Fix OpenSSL vulnerability