Nginx如何升級Openssl

梨花海棠發表於2023-03-11

1. 什麼是Openssl?

在計算機網路上,OpenSSL是一個開放原始碼的軟體庫包,應用程式可以使用這個包來進行安全通訊,避免竊聽,同時確認另一端連線者的身份。這個包廣泛被應用在網際網路的網頁伺服器上。

其主要庫是以C語言所寫成,實現了基本的加密功能,實現了SSL與TLS協議。OpenSSL可以執行在OpenVMS、 Microsoft Windows以及絕大多數類Unix作業系統上(包括Solaris,Linux,Mac OS X與各種版本的開放原始碼BSD作業系統)。

雖然此軟體是開放原始碼的,但其許可書條款與GPL有衝突之處,故GPL軟體使用OpenSSL時(如Wget)必須對OpenSSL給予例外。
https://www.openssl.org/

2. 什麼是心臟滴血?

心臟出血漏洞(英語:Heartbleed bug),簡稱為心血漏洞,是一個出現在加密程式庫OpenSSL的安全漏洞,該程式庫廣泛用於實現網際網路的傳輸層安全(TLS)協議。它於2012年被引入了OpenSSL中,2014年4月首次向公眾披露。只要使用的是存在缺陷的OpenSSL例項,無論是伺服器還是客戶端,都可能因此而受到攻擊。此問題的原因是在實現TLS的心跳擴充套件時沒有對輸入進行適當驗證(缺少邊界檢查,因此漏洞的名稱來源於“心跳”(heartbeat。該程式錯誤屬於緩衝區過讀,即可以讀取的資料比應該允許讀取的還多。

心臟出血在通用漏洞披露(CVE)系統中的編號為CVE-2014-0160。加拿大網路事故響應中心釋出安全公告,提醒系統管理員注意漏洞。2014年4月7日,即漏洞公開披露的同一天,OpenSSL釋出了修復後的版本。
截至2014年5月20日,在80萬最熱門的啟用TLS的網站中,仍有1.5%易受心臟出血漏洞的攻擊。
因為缺陷在於OpenSSL的實現,而不是SSL/TLS協議本身,所以除了OpenSSL之外的其他TLS實現方式,如GnuTLS、Mozilla的網路安全服務(NSS)和Windows平臺的TLS實現都不受影響。

3. Nginx升級openssl

3.1 檢視現openssl版本

# nginx -V
nginx version: nginx/1.22.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled

3.2 官方下載新的openssl安裝包並解壓

也可在GitHub上下載: https://github.com/openssl/openssl/releases

# wget https://www.openssl.org/source/openssl-3.0.8.tar.gz -P /opt/ --no-check-certificate
]# tar -xf openssl-3.0.8.tar.gz 

3.3 重新編譯Nginx

# ./configure  --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --with-openssl=/opt/openssl-3.0.8

3.4 編譯時報錯

# make 
make -f objs/Makefile
make[1]: 進入目錄“/usr/local/src/nginx-1.22.1”
cd /opt/openssl-3.0.8 \
&& if [ -f Makefile ]; then make clean; fi \
&& ./config --prefix=/opt/openssl-3.0.8/.openssl no-shared no-threads  \
&& make \
&& make install_sw LIBDIR=lib
Can't locate IPC/Cmd.pm in @INC (@INC contains: /opt/openssl-3.0.8/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /opt/openssl-3.0.8/external/perl/Text-Template-1.56/lib) at /opt/openssl-3.0.8/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /opt/openssl-3.0.8/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /opt/openssl-3.0.8/Configure line 23.
BEGIN failed--compilation aborted at /opt/openssl-3.0.8/Configure line 23.
make[1]: *** [/opt/openssl-3.0.8/.openssl/include/openssl/ssl.h] 錯誤 2

3.5 解決方法

yum install -y perl-CPAN
[root@haitang-nginx-test openssl-3.0.8]# perl -MCPAN -e shell

CPAN.pm requires configuration, but most of it can be done automatically.
If you answer 'no' below, you will enter an interactive dialog for each
configuration option instead.

Would you like to configure as much as possible automatically? [yes] yes

 <install_help>

Warning: You do not have write permission for Perl library directories.

To install modules, you need to configure a local Perl library directory or
escalate your privileges.  CPAN can help you by bootstrapping the local::lib
module or by configuring itself to use 'sudo' (if available).  You may also
resolve this problem manually if you need to customize your setup.

What approach do you want?  (Choose 'local::lib', 'sudo' or 'manual')

3.6 安裝預設的包

cpan[1]> install IPC/Cmd.pm 
..............................................................DONE
Fetching with HTTP::Tiny:
http://www.cpan.org/modules/03modlist.data.gz
Reading '/root/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /root/.cpan/Metadata
Running install for module 'IPC::Cmd'
Running make for B/BI/BINGOS/IPC-Cmd-1.04.tar.gz
Fetching with HTTP::Tiny:
http://www.cpan.org/authors/id/B/BI/BINGOS/IPC-Cmd-1.04.tar.gz
Fetching with HTTP::Tiny:
http://www.cpan.org/authors/id/B/BI/BINGOS/CHECKSUMS
Checksum for /root/.cpan/sources/authors/id/B/BI/BINGOS/IPC-Cmd-1.04.tar.gz ok
Scanning cache /root/.cpan/build for sizes
DONE

  CPAN.pm: Building B/BI/BINGOS/IPC-Cmd-1.04.tar.gz

Checking if your kit is complete...
Looks good
Warning: prerequisite Locale::Maketext::Simple 0 not found.
Warning: prerequisite Module::Load::Conditional 0.66 not found.
Warning: prerequisite Params::Check 0.20 not found.
Warning: prerequisite Test::More 0 not found.
Writing Makefile for IPC::Cmd
Could not read metadata file. Falling back to other methods to determine prerequisites
---- Unsatisfied dependencies detected during ----
----        BINGOS/IPC-Cmd-1.04.tar.gz        ----
    Test::More [requires]
    Locale::Maketext::Simple [requires]
    Module::Load::Conditional [requires]
    Params::Check [requires]

3.7 安裝完成繼續執行編譯操作。

# ./configure  --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --with-openssl=/opt/openssl-3.0.8
checking for OS
 + Linux 3.10.0-1062.el7.x86_64 x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found

3.8 執行make && make install

# make && make install
cp objs/nginx '/apps/nginx/sbin/nginx'
test -d '/apps/nginx/conf' \
	|| mkdir -p '/apps/nginx/conf'
cp conf/koi-win '/apps/nginx/conf'
cp conf/koi-utf '/apps/nginx/conf'
cp conf/win-utf '/apps/nginx/conf'
test -f '/apps/nginx/conf/mime.types' \
	|| cp conf/mime.types '/apps/nginx/conf'
cp conf/mime.types '/apps/nginx/conf/mime.types.default'
test -f '/apps/nginx/conf/fastcgi_params' \
	|| cp conf/fastcgi_params '/apps/nginx/conf'
cp conf/fastcgi_params \
	'/apps/nginx/conf/fastcgi_params.default'
test -f '/apps/nginx/conf/fastcgi.conf' \
	|| cp conf/fastcgi.conf '/apps/nginx/conf'
cp conf/fastcgi.conf '/apps/nginx/conf/fastcgi.conf.default'
test -f '/apps/nginx/conf/uwsgi_params' \
	|| cp conf/uwsgi_params '/apps/nginx/conf'
cp conf/uwsgi_params \
	'/apps/nginx/conf/uwsgi_params.default'
test -f '/apps/nginx/conf/scgi_params' \
	|| cp conf/scgi_params '/apps/nginx/conf'
cp conf/scgi_params \
	'/apps/nginx/conf/scgi_params.default'
test -f '/apps/nginx/conf/nginx.conf' \
	|| cp conf/nginx.conf '/apps/nginx/conf/nginx.conf'
cp conf/nginx.conf '/apps/nginx/conf/nginx.conf.default'
test -d '/apps/nginx/logs' \
	|| mkdir -p '/apps/nginx/logs'
test -d '/apps/nginx/logs' \
	|| mkdir -p '/apps/nginx/logs'
test -d '/apps/nginx/html' \
	|| cp -R html '/apps/nginx'
test -d '/apps/nginx/logs' \
	|| mkdir -p '/apps/nginx/logs'
make[1]: 離開目錄“/usr/local/src/nginx-1.22.1”

3.9 檢視是否升級成功

# nginx -V
nginx version: nginx/1.22.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 3.0.8 7 Feb 2023
TLS SNI support enabled

相關文章