Nginx如何升级Openssl

陈施有

1. 什么是Openssl？

在计算机网络上，OpenSSL是一个开放源代码的软件库包，应用程序可以使用这个包来进行安全通信，避免窃听，同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上。
其主要库是以C语言所写成，实现了基本的加密功能，实现了SSL与TLS协议。OpenSSL可以运行在OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上（包括Solaris，Linux，Mac OS X与各种版本的开放源代码BSD操作系统）。
虽然此软件是开放源代码的，但其许可书条款与GPL有冲突之处，故GPL软件使用OpenSSL时（如Wget）必须对OpenSSL给予例外。
https://www.openssl.org/
2. 什么是心脏滴血？

心脏出血漏洞（英语：Heartbleed bug），简称为心血漏洞,是一个出现在加密程序库OpenSSL的安全漏洞，该程序库广泛用于实现互联网的传输层安全（TLS）协议。它于2012年被引入了OpenSSL中，2014年4月首次向公众披露。只要使用的是存在缺陷的OpenSSL实例，无论是服务器还是客户端，都可能因此而受到攻击。此问题的原因是在实现TLS的心跳扩展时没有对输入进行适当验证（缺少边界检查，因此漏洞的名称来源于“心跳”（heartbeat。该程序错误属于缓冲区过读,即可以读取的数据比应该允许读取的还多。
心脏出血在通用漏洞披露（CVE）系统中的编号为CVE-2014-0160。加拿大网络事故响应中心发布安全公告，提醒系统管理员注意漏洞。2014年4月7日，即漏洞公开披露的同一天，OpenSSL发布了修复后的版本。
截至2014年5月20日，在80万最热门的启用TLS的网站中，仍有1.5％易受心脏出血漏洞的攻击。
因为缺陷在于OpenSSL的实现，而不是SSL/TLS协议本身，所以除了OpenSSL之外的其他TLS实现方式，如GnuTLS、Mozilla的网络安全服务（NSS）和Windows平台的TLS实现都不受影响。
3. Nginx升级openssl

3.1 查看现openssl版本

1. # nginx -V
2. nginx version: nginx/1.22.1
3. built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
4. built with OpenSSL 1.0.2k-fips  26 Jan 2017
5. TLS SNI support enabled

复制代码

3.2 官方下载新的openssl安装包并解压

也可在GitHub上下载: https://github.com/openssl/openssl/releases

1. # wget https://www.openssl.org/source/openssl-3.0.8.tar.gz -P /opt/ --no-check-certificate
2. ]# tar -xf openssl-3.0.8.tar.gz

复制代码

3.3 重新编译Nginx

1. # ./configure  --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --with-openssl=/opt/openssl-3.0.8

复制代码

3.4 编译时报错

1. # make
2. make -f objs/Makefile
3. make[1]: 进入目录“/usr/local/src/nginx-1.22.1”
4. cd /opt/openssl-3.0.8 \
5. && if [ -f Makefile ]; then make clean; fi \
6. && ./config --prefix=/opt/openssl-3.0.8/.openssl no-shared no-threads  \
7. && make \
8. && make install_sw LIBDIR=lib
9. Can't locate IPC/Cmd.pm in @INC (@INC contains: /opt/openssl-3.0.8/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /opt/openssl-3.0.8/external/perl/Text-Template-1.56/lib) at /opt/openssl-3.0.8/util/perl/OpenSSL/config.pm line 19.
10. BEGIN failed--compilation aborted at /opt/openssl-3.0.8/util/perl/OpenSSL/config.pm line 19.
11. Compilation failed in require at /opt/openssl-3.0.8/Configure line 23.
12. BEGIN failed--compilation aborted at /opt/openssl-3.0.8/Configure line 23.
13. make[1]: *** [/opt/openssl-3.0.8/.openssl/include/openssl/ssl.h] 错误 2

复制代码

3.5 解决方法

1. yum install -y perl-CPAN
2. [root@haitang-nginx-test openssl-3.0.8]# perl -MCPAN -e shell
4. CPAN.pm requires configuration, but most of it can be done automatically.
5. If you answer 'no' below, you will enter an interactive dialog for each
6. configuration option instead.
8. Would you like to configure as much as possible automatically? [yes] yes
10. <install_help>
12. Warning: You do not have write permission for Perl library directories.
14. To install modules, you need to configure a local Perl library directory or
15. escalate your privileges.  CPAN can help you by bootstrapping the local::lib
16. module or by configuring itself to use 'sudo' (if available).  You may also
17. resolve this problem manually if you need to customize your setup.
19. What approach do you want?  (Choose 'local::lib', 'sudo' or 'manual')

复制代码

3.6 安装缺省的包

1. cpan[1]> install IPC/Cmd.pm
2. ..............................................................DONE
3. Fetching with HTTP::Tiny:
4. http://www.cpan.org/modules/03modlist.data.gz
5. Reading '/root/.cpan/sources/modules/03modlist.data.gz'
6. DONE
7. Writing /root/.cpan/Metadata
8. Running install for module 'IPC::Cmd'
9. Running make for B/BI/BINGOS/IPC-Cmd-1.04.tar.gz
10. Fetching with HTTP::Tiny:
11. http://www.cpan.org/authors/id/B/BI/BINGOS/IPC-Cmd-1.04.tar.gz
12. Fetching with HTTP::Tiny:
13. http://www.cpan.org/authors/id/B/BI/BINGOS/CHECKSUMS
14. Checksum for /root/.cpan/sources/authors/id/B/BI/BINGOS/IPC-Cmd-1.04.tar.gz ok
15. Scanning cache /root/.cpan/build for sizes
16. DONE
18.   CPAN.pm: Building B/BI/BINGOS/IPC-Cmd-1.04.tar.gz
20. Checking if your kit is complete...
21. Looks good
22. Warning: prerequisite Locale::Maketext::Simple 0 not found.
23. Warning: prerequisite Module::Load::Conditional 0.66 not found.
24. Warning: prerequisite Params::Check 0.20 not found.
25. Warning: prerequisite Test::More 0 not found.
26. Writing Makefile for IPC::Cmd
27. Could not read metadata file. Falling back to other methods to determine prerequisites
28. ---- Unsatisfied dependencies detected during ----
29. ----        BINGOS/IPC-Cmd-1.04.tar.gz        ----
30.     Test::More [requires]
31.     Locale::Maketext::Simple [requires]
32.     Module::Load::Conditional [requires]
33.     Params::Check [requires]

复制代码

3.7 安装完成继续执行编译操作。

1. # ./configure  --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --with-openssl=/opt/openssl-3.0.8
2. checking for OS
3. + Linux 3.10.0-1062.el7.x86_64 x86_64
4. checking for C compiler ... found
5. + using GNU C compiler
6. + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
7. checking for gcc -pipe switch ... found
8. checking for -Wl,-E switch ... found
9. checking for gcc builtin atomic operations ... found
10. checking for C99 variadic macros ... found
11. checking for gcc variadic macros ... found
12. checking for gcc builtin 64 bit byteswap ... found

复制代码

3.8 执行make && make install

1. # make && make install
2. cp objs/nginx '/apps/nginx/sbin/nginx'
3. test -d '/apps/nginx/conf' \
4.         || mkdir -p '/apps/nginx/conf'
5. cp conf/koi-win '/apps/nginx/conf'
6. cp conf/koi-utf '/apps/nginx/conf'
7. cp conf/win-utf '/apps/nginx/conf'
8. test -f '/apps/nginx/conf/mime.types' \
9.         || cp conf/mime.types '/apps/nginx/conf'
10. cp conf/mime.types '/apps/nginx/conf/mime.types.default'
11. test -f '/apps/nginx/conf/fastcgi_params' \
12.         || cp conf/fastcgi_params '/apps/nginx/conf'
13. cp conf/fastcgi_params \
14.         '/apps/nginx/conf/fastcgi_params.default'
15. test -f '/apps/nginx/conf/fastcgi.conf' \
16.         || cp conf/fastcgi.conf '/apps/nginx/conf'
17. cp conf/fastcgi.conf '/apps/nginx/conf/fastcgi.conf.default'
18. test -f '/apps/nginx/conf/uwsgi_params' \
19.         || cp conf/uwsgi_params '/apps/nginx/conf'
20. cp conf/uwsgi_params \
21.         '/apps/nginx/conf/uwsgi_params.default'
22. test -f '/apps/nginx/conf/scgi_params' \
23.         || cp conf/scgi_params '/apps/nginx/conf'
24. cp conf/scgi_params \
25.         '/apps/nginx/conf/scgi_params.default'
26. test -f '/apps/nginx/conf/nginx.conf' \
27.         || cp conf/nginx.conf '/apps/nginx/conf/nginx.conf'
28. cp conf/nginx.conf '/apps/nginx/conf/nginx.conf.default'
29. test -d '/apps/nginx/logs' \
30.         || mkdir -p '/apps/nginx/logs'
31. test -d '/apps/nginx/logs' \
32.         || mkdir -p '/apps/nginx/logs'
33. test -d '/apps/nginx/html' \
34.         || cp -R html '/apps/nginx'
35. test -d '/apps/nginx/logs' \
36.         || mkdir -p '/apps/nginx/logs'
37. make[1]: 离开目录“/usr/local/src/nginx-1.22.1”

复制代码

3.9 查看是否升级成功

1. # nginx -V
2. nginx version: nginx/1.22.1
3. built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
4. built with OpenSSL 3.0.8 7 Feb 2023
5. TLS SNI support enabled

复制代码

来源:https://www.cnblogs.com/xunweidezui/p/17204841.html
免责声明：由于采集信息均来自互联网，如果侵犯了您的权益，请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容，谢谢合作！