OpenSSL is a hot spot in the dark. At first, several small business machines of the company's rds were notified to fix the OpenSSL vulnerability. These machines were all independent small businesses and were stopped, after finding a simple document, upgrade it to OK (some are nginx, some are resin ). After the service is restarted, OK.
The company's main business also has a general portal machine (two machines supported by LVS). As this machine is very important, it has fixed the OpenSSL vulnerability once in the past 13 years, (old machines have plans to change the environment), so this time I am worried. However, last week, customer service suddenly reported a problem with the browser alert service when the customer browsed the local service, and thus had to solve the problem immediately (Upgrade OpenSSL ).
OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)
Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian
OpenSSL "heartbleed" Security Vulnerability
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Environment view and Detection
PS: The $ homedir/build/config. nice file compiled by Apache records the previously compiled parameters.
"-- With-ldap "\
"-- Enable-mod-shared = all ssl ldap cache proxy authn_alias file_cache authnz_ldap charset_lite dav_lock cache_disk "\
"-- With-defined ded-apr "\
"-- With-ssl =/usr/local/openssl/" (the first time there was a problem )\
After the compilation is completed, use the website Detection Service to continue reporting the OpenSSL vulnerability .. (Start with 360. Then I felt like I was cheated by him, and then I found another website .)
Https://lastpass.com/heartbleed (because this is an post, so I took a friend's website to demonstrate, he is also such a problem .)
Then I instantly understood something.
There are two problems
-With-ssl =/usr/local/openssl/is the path of the old OpenSSL.
Apache reports an error when a new path is specified. (The error message is not recorded in the post-event document. This is probably the case: the ldap. so *** related to apr-util dependency is missing, which means that the ldap dependency is not compiled when you compile apr-util)
Come on. Start the correct process.
1. Install OpenSSL
0. First, use # openssl version-a to view the OpenSSL version in the system.
1. Get the source package through # wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
2. Install openssl
Tar xf openssl-1.0.1g.tar.gz
./Config-DOPENSSL_NO_HEARTBEATS shared zlib
3. Configure the library file search path
Echo "/usr/local/ssl/lib">/etc/ld. so. conf
4. Check the openssl version to verify the installation.
# Openssl version-
We can see that it is a newly installed version.
-DOPENSSL_NO_HEARTBEATS (heartbeats disabled)
Ii. Compile and install apr-util
Note that I will directly install ldap-related components in yum, because Apache will depend on the ldap library in apr-util for compilation, therefore, you must specify this parameter when compiling apr-util.
Yum install apr-devel apr-util-ldap (to solve the problem that apr-util depends on ladp, because I cannot find which library is missing)
Tar xf apr-1.4.6.tar.bz2
./Configure -- prefix =/usr/local/apr
Make & make install
Tar xf apr-util-1.5.2.tar.bz2
./Configure -- prefix =/usr/local/apr-util -- with-apr =/usr/local/apr -- with-ldap
Make & make install
Iii. Compile and install Apache
$ Tar xf httpd-2.4.4.tar.bz2
$ Httpd-2.4.4 cd
$. /Configure -- with-ldap -- enable-mod-shared = "all ssl ldap cache proxy authn_alias file_cache authnz_ldap charset_lite dav_lock cache_disk" -- with-apr =/usr/local/apr --- apr-util =/usr/local/apr-util -- with-ssl =/usr/local/ssl/(note the path of the ssl location)
$ Make & make install
Before the operation, I did not compress to back up the original Apache files (logs are also included ).
I uploaded the video, and finally deleted the conf htdocs logs three directories under the compiled directory. Then, I copied the videos from these three directories. Most convenient (you can copy the logs directory structure)
It should be noted that ldap depends on.
During compilation and nginx OpenSSL upgrade, one of them is also re-compilation. It seems to be an environmental factor (time is too long). During compilation, the source code file of OpenSSL is directly specified, so that nginx can re-compile some dependent libraries of OpenSSL.
When upgrading the online environment, we recommend that you complete the test in the test environment, make the rpm package, and then directly install it online. If you have your own yum environment locally, it is even better.
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: