xiang8 发表于 2018-11-8 11:09:04

nginx 升级openssl

  有一段时间,发现openssl 版本的漏洞,所以必须升级
  1.升级openssl
  1.1查看当前openssl 版本:
  # openssl version
  OpenSSL 1.0.1e-fips 11 Feb 2013
  当前版本显然过久,必须下载最新版本到1.0.1g及以上。
  1.2.软件包下载:
  下载路径:
  # wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
  1.3.安装openssl
  # tar -zxvf openssl-1.0.1g.tar.gz
  # cd openssl-1.0.1g
  # make && make install
  1.4.设置openssl
  # mv /usr/bin/openssl /usr/bin/openssl.OFF
  #mv /usr/include/openssl /usr/include/openssl.OFF
  #ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
  #ln -s /usr/local/ssl/include/openssl /usr/include/openssl
  配置库文件搜索路径
  #echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
  #ldconfig -v
  查看版本号:
  # openssl version
  OpenSSL 1.0.1g 7 Apr 2014
  2.升级nginx openssl
  2.1.查看当前nginx 模块
  # /usr/local/nginx/sbin/nginx-V
  nginx version: nginx/1.2.2
  built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
  configure arguments: --prefix=/usr/local/nginx --with-google_perftools_module --user=www --group=www --with-http_stub_status_module --with-openssl=/usr/ --with-pcre=/tmp/soft/lnmp/pcre-8.31
  SSL 1.0.1g 7 Apr 2014
  2.2. 重新编译nginx,升级openssl
  # tar -zxvf nginx-1.2.2.tar.gz
  # cd nginx-1.2.2
  2.3.修改加载openssl 方式:
  # vi auto/lib/openssl/conf
  CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
  CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
  CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
  CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
  改为:
  CORE_INCS="$CORE_INCS $OPENSSL/include"
  CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
  CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
  CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
  2.4.重新编译nginx
  #./configure \
  --prefix=/usr/local/nginx \
  --with-google_perftools_module \
  --user=www \
  --group=www \
  --with-http_stub_status_module \
  --with-http_ssl_module \
  --with-openssl=/usr/local/ssl \
  --with-pcre=/tmp/soft/lnmp/pcre-8.31
  #make
  2.5. 修改nginx
  #cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
  #cp ./objs/nginx /usr/local/nginx/sbin/
  2.6.查看nginx模块
  # /usr/local/nginx/sbin/nginx -V
  nginx version: nginx/1.2.2
  built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
  TLS SNI support enabled
  configure arguments: --prefix=/usr/local/nginx --with-google_perftools_module --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/local/ssl --with-pcre=/tmp/soft/lnmp/pcre-8.31

页: [1]
查看完整版本: nginx 升级openssl