因升级OpenSSL版本导致Nginx重新编译出现的问题

Others 2021-11-19 06:14:19 views: null

文章目录

起因

公司的线上网站收到网安发来的漏洞检测通知,发了一堆安全漏洞需要整改

  • nginx 安全漏洞 CVE-2021-23017
  • nginx resolver 释放后重利用漏洞 CVE-2016-0746
  • nginx resolver 拒绝服务漏洞 CVE-2016-0742
  • nginx 空指针间接引用漏洞 CVE-2016-4450
  • nginx 安全漏洞 CVE-2019-9511
  • nginx 安全漏洞 CVE-2019-9513

Nginx 的漏洞解决方法都在官网通告中找得到,最简单的办法就是升级至安全版本

  • SSL/TLS协议信息泄漏漏洞 CVE-2016-2183

该漏洞也在OpenSSL官网进行了公布,官方推荐的方法是升级到 1.1.0 以上的版本

本文对这个两个版本升级进行一次记录。

环境

系统版本

[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Nginx 版本

[root@localhost ~]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module

OpenSSL 版本

[root@localhost ~]# openssl version -a
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

安装编译工具

yum install -y openssl openssl-devel zlib zlib-devel pcre pcre-devel perl make gcc gcc-c++ wget

升级 OpenSSL

安装新版本

# 下载
[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz
[root@localhost ~]# tar -zxvf openssl-1.1.1l.tar.gz
[root@localhost ~]# cd openssl-1.1.1l
# config 配置安装目录
[root@localhost openssl-1.1.1l]# ./config shared --openssldir=/usr/local/openssl --prefix=/usr/local/openssl
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1l (0x101010cfL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************

# 编译安装
[root@localhost openssl-1.1.1l]# make
[root@localhost openssl-1.1.1l]# make install

移除掉老版本

[root@localhost ~]# mv /usr/bin/openssl /usr/bin/openssl.old
[root@localhost ~]# mv /usr/include/openssl/ /usr/include/openssl.old
[root@localhost ~]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

配置lib库

[root@localhost ~]# echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf
[root@localhost ~]# ldconfig

查看版本

[root@localhost ~]# openssl version -a
OpenSSL 1.1.1l  24 Aug 2021
built on: Fri Sep  3 10:10:01 2021 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/openssl"
ENGINESDIR: "/usr/local/openssl/lib/engines-1.1"
Seeding source: os-specific

升级 Nginx

下载新版本

[root@localhost ~]# wget http://nginx.org/download/nginx-1.20.1.tar.gz
[root@localhost ~]# tar -zxvf nginx-1.20.1.tar.gz
[root@localhost ~]# cd nginx-1.20.1

编译前,需修改 auto/lib/openssl/conf 中的内容

            CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
            CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
            CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
            CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"

将这四个配置中的 .openssl 删掉,如下

            CORE_INCS="$CORE_INCS $OPENSSL/include"
            CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
            CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
            CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"

参数一定要与老版本 Nginx 一致,另外需要带上新的 OpenSSL 库路径 --with-openssl=/usr/local/openssl

[root@localhost nginx-1.20.1]# ./configure --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/local/openssl

否则会报找不到 OpenSSL library

./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

编译

[root@localhost nginx-1.20.1]# make

编译后,将 objs 目录下生成的 nginx 执行文件复制到 nginx 目录

[root@localhost nginx-1.20.1]# mv /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx_1.16.0
[root@localhost nginx-1.20.1]# cp objs/nginx /opt/nginx/sbin/nginx

检测 nginx 是否正常

[root@localhost ~]# /opt/nginx/sbin/nginx -t
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful

平滑升级命令

[root@localhost ~]# kill -USR2 `cat /opt/nginx/logs/nginx.pid`
[root@localhost ~]# kill -WINCH `cat /opt/nginx/logs/nginx.pid.oldbin`
[root@localhost ~]# kill -QUIT `cat /opt/nginx/logs/nginx.pid.oldbin`

Nginx 与 OpenSSL 版本都是最新的了

[root@localhost ~]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1l  24 Aug 2021
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/local/openssl

Guess you like

Origin blog.csdn.net/qq_39680564/article/details/120086634
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com