Centos7 升级openssl 3.0.2
2022-03-18 本文已影响0人
InGramViking
今天openssl 报了个高危漏洞,如下:
漏洞名称:OpenSSL 拒绝服务漏洞
组件名称:OpenSSL
影响范围:
Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1)
Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m)
Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)
漏洞类型:拒绝服务
利用条件:
1、用户认证:否
2、前置条件:要安装 gcc 和 OpenSSL 的易受攻击版本
3、触发方式:远程
综合评价:
<综合评定利用难度>:一般,需要安装 gcc 和 OpenSSL 的易受攻击版本。
<综合评定威胁等级>:高危,能造成拒绝服务。
--- 摘录自深信服千里目安全实验室
看了一眼自己的版本,决定升级一下openssl到最新版3.0.2,官方配置和安装文档
# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
centos 7.6,升级过程中估计会有如下报错,
Can’t locate IPC/Cmd.pm in @INC
……
Can't locate Data/Dumper.pm in @INC
……
Can't locate Test/More.pm in @INC
……
安装必备包:
yum install perl-IPC-Cmd perl-Data-Dumper perl-Test-Taint
执行配置
[root@locate openssl-openssl-3.0.2]# ./config
Configuring OpenSSL version 3.0.2 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
执行编译make
${LDCMD:-gcc} -pthread -m64 -Wa,--noexecstack -Wall -O3 -L. \
-o test/x509aux \
test/x509aux-bin-x509aux.o \
test/libtestutil.a -lcrypto -ldl -pthread
rm -f "apps/CA.pl"
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" apps/CA.pl.in > "apps/CA.pl"
chmod a+x apps/CA.pl
rm -f "apps/tsget.pl"
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" apps/tsget.in > "apps/tsget.pl"
chmod a+x apps/tsget.pl
rm -f "tools/c_rehash"
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" tools/c_rehash.in > "tools/c_rehash"
chmod a+x tools/c_rehash
rm -f "util/shlib_wrap.sh"
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" util/shlib_wrap.sh.in > "util/shlib_wrap.sh"
chmod a+x util/shlib_wrap.sh
rm -f "util/wrap.pl"
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" util/wrap.pl.in > "util/wrap.pl"
chmod a+x util/wrap.pl
make[1]: Leaving directory `/opt/tmp/openssl-openssl-3.0.2'
执行测试 make test
[root@locate openssl-openssl-3.0.2]# make test
make depend && make _tests
make[1]: Entering directory `/opt/tmp/openssl-openssl-3.0.2'
make[1]: Leaving directory `/opt/tmp/openssl-openssl-3.0.2'
make[1]: Entering directory `/opt/tmp/openssl-openssl-3.0.2'
( SRCTOP=. \
BLDTOP=. \
PERL="/usr/bin/perl" \
FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \
EXE_EXT= \
/usr/bin/perl ./test/run_tests.pl )
00-prep_fipsmodule_cnf.t .. skipped: FIPS module config file only supported in a fips build
Files=1, Tests=0, 0 wallclock secs ( 0.01 usr 0.00 sys + 0.11 cusr 0.02 csys = 0.14 CPU)
Result: NOTESTS
01-test_abort.t .................... ok
………………
99-test_fuzz_x509.t ................ ok
All tests successful.
Files=242, Tests=3283, 369 wallclock secs ( 8.90 usr 0.57 sys + 300.89 cusr 60.99 csys = 371.35 CPU)
Result: PASS
make[1]: Leaving directory `/opt/tmp/openssl-openssl-3.0.2'
执行安装make install
安装后的配置
- 检查链接库
# ldd /usr/local/bin/openssl
linux-vdso.so.1 => (0x00007ffeca3f7000)
libssl.so.3 => not found
libcrypto.so.3 => not found
libdl.so.2 => /lib64/libdl.so.2 (0x00007f3f1fe9c000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3f1fc80000)
libc.so.6 => /lib64/libc.so.6 (0x00007f3f1f8b3000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3f200a0000)
- 将安装的库引入
echo "/usr/local/lib64/" > /etc/ld.so.conf.d/openssl3.0.2.conf
ldconfig -v
- 创建备份并链接新版本
mkdir -p /usr/bakup/usr/bin
mv /usr/bin/openssl /usr/bakup/usr/bin/
ln -s /usr/local/bin/openssl /usr/bin/openssl
