Nginx Source installation OpenSSL repair Heartbleed vulnerability

Source: Internet
Author: User
Tags openssl library openssl version


If your nginx is using a dynamic OpenSSL library, upgrade OpenSSL directly, if your nginx is using a static OpenSSL library, then recompile and install Nginx. PHP Build Fix

1. Nginx uses the dynamic OpenSSL library to upgrade OpenSSL directly
1.1 Source Installation openssl1.0.1g version
Download the OpenSSL 1.0.1g version first, with the following command:
#wget-C https://www.openssl.org/source/openssl-1.0.1g.tar.gz
Then download this version of the MD5 check pack:
#wget-C HTTPS://WWW.OPENSSL.ORG/SOURCE/OPENSSL-1.0.1G.TAR.GZ.MD5
Then verify if the OpenSSL package has been maliciously modified:
#md5sum openssl-1.0.1g.tar.gz | awk ' {print $;} ' | Cmp-openssl-1.0.1g.tar.gz.md5
If the checksum is not a problem, then unpack the package, command:
#tar-ZVXF openssl-1.0.1g.tar.gz//Decompression openssl-1.0.1g.tar.gz
Go to this unzipped directory:
#cd openssl-1.0.1g
Enter the following command to compile, install, I set some important parameters directly, because the other parameters for me is useless. If a parameter is required, add it yourself. Input:
#./config shared zlib && make && make install
Or you do not add any parameters, completely using the default:
#./config && make && make install
It's about five or six minutes after the compilation is installed. If there is no problem, continue to enter the following command, manual soft chain new OpenSSL binary file:
Ln–s/usr/local/ssl/bin/openssl/usr/bin/openssl
Ln–s/usr/local/ssl/include/openssl/usr/include/openssl
To configure the library file search path:
#echo "/usr/local/ssl/lib" >>/etc/ld.so.conf
#ldconfig-V
Finally reboot the server (restart the process troublesome), enter:
#reboot
After rebooting, enter the following command to detect the version of OpenSSL:
#openssl version
Show:
OpenSSL 1.0.1g 7 APR 2014

2. Nginx uses the static OpenSSL library, recompile the installation Nginx
2.1 Overview
The current burst of OpenSSL vulnerabilities, will reveal private information, involving more machines, different environments, resulting in a different repair program.
Many servers use Nginx, is statically compiled Opensssl, directly to the OpenSSL compiled into nginx inside, which means that simply upgrade OpenSSL is no effect, Nginx will not load external OpenSSL dynamic link library, Nginx must be recompiled before it can be cured.
2.2 To identify if Nginx is statically compiled
There are three ways to confirm if nginx statically compiles OpenSSL.
1) View Nginx compilation parameters
Enter the following instructions to view Nginx's compilation parameters:
#./sbin/nginx-v
If the compilation parameter contains--with-openssl= ..., then the Nginx is statically compiled by OpenSSL, as follows:
Nginx version:nginx/1.4.1
Built by GCC 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI Support Enabled
Configure arguments:--prefix=/opt/app/nginx--with-http_ssl_module--with-openssl=/opt/app/openssl-1.0.1e-- add-module=/opt/app/ngx_cache_purge-2.1
2) View Nginx's dependent libraries
For further confirmation, you can check the dependent library of the program and enter the following instructions:
# ldd ' which nginx ' | grep SSL
Show
libssl.so.10 =/usr/lib/libssl.so.10 (0xb76c6000)
Note: If the output does not contain a libssl.so file (), it is a statically compiled OpenSSL
Re-enter the command to determine OpenSSL to determine which version of OpenSSL the library belongs to, but not too detailed, such as it should be 1.0.1e.5.7, but only output 1.0.1e:
# strings/usr/lib/libssl.so.10 | grep "^openssl"
OpenSSL 1.0.1e-fips 2013
3) View Nginx open files
You can also view the Nginx open file to see if the static compilation, enter the following command:
# PS aux | grep nginx
# lsof-p 111111< here to replace Nginx process Pid> | grep SSL
If you do not open the OpenSSL library file, you are statically compiling OpenSSL, as in:
20140411213555359
2.3 Re-compiling Nginx
Refer to "recompiling the Nginx Manual" to fix the Nginx vulnerability of statically compiled OpenSSL "[OpenSSL Heartbleed]"


3 when PHP was compiled, did you make a OpenSSL directory
We look directly at the PHP probe, which is <?php phpinfo ();?> saved to info.php.
The browser opens info.php see the OpenSSL columns as follows:
Openssl
OpenSSL Support Enabled
OpenSSL Library Version OpenSSL 1.0.1g 7 APR 2014
OpenSSL Header Version OpenSSL 1.0.1g 7 APR 2014
If it's not a 1.0.1g version, then recompile PHP. Specifies the directory for OpenSSL.
You can use the following command to view the PHP version and the compilation parameters:
#php-V #查看php版本
#/usr/local/php/bin/php-i | grep Configure #查看php编译所用的参数
The compilation results shown with this command are enclosed in single quotation marks, to be erased. At the same time, the--WITH-OPENSSL is changed to:
--with-openssl=/usr/local/ssl/
And then recompile, but the compilation parameters change, but do not change the version of PHP.

This article is from the "Willard_sa" blog, make sure to keep this source http://374400.blog.51cto.com/364400/1672558

Nginx Source installation OpenSSL repair Heartbleed vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.