Preface
In the Internet era, server security has always been an extremely important topic. With the continuous iterative updates of software versions, the vulnerability threats faced by servers are also increasing. Therefore, servers usually need to regularly accept vulnerability reports from all aspects of the host in order to promptly discover and repair possible security risks.
Typically, these vulnerability reports are caused by security vulnerabilities in software deployed on the server. Certain known vulnerabilities may be discovered when a scanner detects an older version of software installed on a server. In order to solve this situation, the most effective way is to upgrade the software version to eliminate possible vulnerabilities.
When a vulnerability report occurs, administrators need to promptly assess the risk and urgency of the vulnerability and plan corresponding remediation measures. Typically, vulnerability fixes need to be handled as quickly as possible to avoid risks such as server attacks or data leaks.
Problem Description
There is a security vulnerability in TLS protocol 1.2 and earlier versions. The vulnerability is caused by the program not correctly passing the DHE_EXPORT option when the server enables the DHE_EXPORT cipher suite. An attacker can exploit this vulnerability to implement man-in-the-middle attacks and cipher-downgrade attacks by rewriting ClientHello (using DHE_EXPORT instead of DHE) and then rewriting ServerHello (using DHE instead of DHE_EXPORT).
Solution: Upgrade openssl version
Preparation: Back up openssl related files first
mv /usr/bin/openssl /usr/bin/openssl_dateold
mv /usr/lib64/openssl /usr/lib64/openssl_dateold
1. Check the server openssl version
openssl version
As follows:
As can be seen from the picture, our current openssl version is 1.1.1k, which is lower than the 1.2 version in the problem description.
2. Check the path of openssl
which openssl
3. Download openssl
Download address https://www.openssl.org/source/
Method 1: You can first visit the download address of openssl locally and download a version higher than version 1.2. You can choose it yourself. The author chose the openssl-3.0.10 version. After the download is completed, upload it to a certain location on the server. Location.
Method 2: Downloading through the wget command
defaults to downloading to the current directory.
wget --no-check-certificate https://www.openssl.org/source/openssl-3.0.10.tar.gz
Parameters: --no-check-certificate
Certificate verification will be skipped
4. Unzip and install openssl
The author is in the /usr/local directory
tar -zxvf openssl-3.0.10.tar.gz
5. Switch to the unzipped directory
cd openssl-3.0.10/
6. Execute configuration
./config --prefix=/usr/local/openssl
--prefix=/usr/local/openssl Specify the installation path
if the following error is reported
Can't locate IPC/Cmd.pm in @INC (@INC contains: /usr/local/openssl-3.0.10/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /usr/local/openssl-3.0.10/external/perl/Text-Template-1.56/lib) at /usr/local/openssl-3.0.10/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /usr/local/openssl-3.0.10/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /usr/local/openssl-3.0.10/Configure line 23.
BEGIN failed--compilation aborted at /usr/local/openssl-3.0.10/Configure line 23.
IPC::Cmd
It probably means that the module is missing
Solution: Install the IPC-Cmd module and execute the installation according to specific commands.
yum -y install perl-IPC-Cmd
After the installation is successful, execute the command again: ./config --prefix=/usr/local/openssl
7. Compile and install
make && make install
8. Create a soft connection to let the system use the new openssl
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl/ /usr/include/openssl
9. Update dynamic link library data
echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf
echo "/usr/local/openssl/lib64/" >> /etc/ld.so.conf
10. Reload the dynamic link library
ldconfig -v
11. Check the version after installation
openssl version
A new version of openssl appears and the installation is successful.