一、 漏洞描述:
OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密。
OpenSSL 1.1.0、1.0.2版本,若使用递归过度的恶意输入,构造的ASN.1类型可造成栈溢出,导致拒绝服务攻击。
openssl版本信息:执行openssl version获取:
OpenSSL 1.0.2g 1 Mar 2016
二、漏洞处理
1、升级方案,官方声明:
最新的稳定版本是1.1.1系列。这也是我们的长期支持(LTS)版本,支持到2023年9月11日。我们以前的LTS版本(1.0.2系列)将继续受支持到2019年12月31日(仅在支持的最后一年提供安全修复)。1.1.0系列目前仅接收安全修复程序,并将于2019年9月11日停止支持。鼓励所有1.0.2和1.1.0用户尽快升级到1.1.1。现在不支持0.9.8、1.0.0和1.0.1版本,不应使用它们。
因此,可升级当前的openssl到1.0.2t;或直接升级到 openssl-1.1.1d.tar.gz(官方最新版)
下载地址:https://www.openssl.org/source/
或直接:wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
2、解压并进入解压目录后执行:./config --prefix=/usr/local/openssl shared zlib
如果之前openssl是默认安装,编译时可不待任何参数:
make depend
安装gcc:apt-get install gcc -y,结果报错:
gcc-6-base is already the newest version (6.0.1-0ubuntu1).
libgcc1 is already the newest version (1:6.0.1-0ubuntu1).
gcc-5-base is already the newest version (5.4.0-6ubuntu1~16.04.12).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
gcc-4.7-plugin-dev : Depends: libgmpv4-dev (>= 2:5.0.1~) but it is not going to be installed
gcc-4.8-aarch64-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.8-arm-linux-gnueabihf : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.8-powerpc-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.8-powerpc64le-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.9-aarch64-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.9-arm-linux-gnueabi : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.9-arm-linux-gnueabihf : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.9-powerpc-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.9-powerpc64le-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-4.9-s390x-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-aarch64-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-alpha-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-arm-linux-gnueabi : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-arm-linux-gnueabihf : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-hppa-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-m68k-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-mips-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-mips64-linux-gnuabi64 : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-mips64el-linux-gnuabi64 : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-mipsel-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-powerpc-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-powerpc-linux-gnuspe : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-powerpc64-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-powerpc64le-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-s390x-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-sh4-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-5-sparc64-linux-gnu : Conflicts: gcc-multilib but 4:5.3.1-1ubuntu1 is to be installed
gcc-multilib : Conflicts: gcc-4.9-aarch64-linux-gnu but 4.9.3-13ubuntu2cross1 is to be installed
Conflicts: gcc-4.9-arm-linux-gnueabi but 4.9.3-13ubuntu2cross1 is to be installed
Conflicts: gcc-4.9-arm-linux-gnueabihf but 4.9.3-13ubuntu2cross1 is to be installed
Conflicts: gcc-4.9-powerpc-linux-gnu but 4.9.3-13ubuntu2cross1 is to be installed
Conflicts: gcc-4.9-powerpc64le-linux-gnu but 4.9.3-13ubuntu2cross1 is to be installed
Conflicts: gcc-4.9-s390x-linux-gnu but 4.9.3-13ubuntu2cross1 is to be installed
Conflicts: gcc-5-aarch64-linux-gnu
Conflicts: gcc-5-alpha-linux-gnu
Conflicts: gcc-5-arm-linux-gnueabi
Conflicts: gcc-5-arm-linux-gnueabihf
Conflicts: gcc-5-hppa-linux-gnu
Conflicts: gcc-5-m68k-linux-gnu
Conflicts: gcc-5-mips-linux-gnu
Conflicts: gcc-5-mips64-linux-gnuabi64
Conflicts: gcc-5-mips64el-linux-gnuabi64
Conflicts: gcc-5-mipsel-linux-gnu
Conflicts: gcc-5-powerpc-linux-gnu
Conflicts: gcc-5-powerpc-linux-gnuspe
Conflicts: gcc-5-powerpc64-linux-gnu
Conflicts: gcc-5-powerpc64le-linux-gnu
Conflicts: gcc-5-s390x-linux-gnu
Conflicts: gcc-5-sh4-linux-gnu
Conflicts: gcc-5-sparc64-linux-gnu
Conflicts: gcc-5-aarch64-linux-gnu:i386
Conflicts: gcc-5-arm-linux-gnueabihf:i386
Conflicts: gcc-5-powerpc-linux-gnu:i386
Conflicts: gcc-5-powerpc64le-linux-gnu:i386
Conflicts: gcc-5-alpha-linux-gnu:i386
Conflicts: gcc-5-arm-linux-gnueabi:i386
Conflicts: gcc-5-hppa-linux-gnu:i386
Conflicts: gcc-5-m68k-linux-gnu:i386
Conflicts: gcc-5-mips-linux-gnu:i386
Conflicts: gcc-5-mips64-linux-gnuabi64:i386
Conflicts: gcc-5-mips64el-linux-gnuabi64:i386
Conflicts: gcc-5-mipsel-linux-gnu:i386
Conflicts: gcc-5-powerpc-linux-gnuspe:i386
Conflicts: gcc-5-powerpc64-linux-gnu:i386
Conflicts: gcc-5-s390x-linux-gnu:i386
Conflicts: gcc-5-sh4-linux-gnu:i386
Conflicts: gcc-5-sparc64-linux-gnu:i386
lib64gcc-4.7-dev:i386 : Depends: libx32gcc1:i386 (>= 1:4.7.4-3ubuntu12) but it is not going to be installed
Depends: libx32gomp1:i386 (>= 4.7.4-3ubuntu12) but it is not going to be installed
Depends: libx32itm1:i386 (>= 4.7.4-3ubuntu12) but it is not going to be installed
Depends: libx32quadmath0:i386 (>= 4.7.4-3ubuntu12) but it is not going to be installed
lib64gcc-4.8-dev:i386 : Depends: libx32gcc1:i386 (>= 1:4.8.5-4ubuntu2) but it is not going to be installed
Depends: libx32gomp1:i386 (>= 4.8.5-4ubuntu2) but it is not going to be installed
Depends: libx32itm1:i386 (>= 4.8.5-4ubuntu2) but it is not going to be installed
Depends: libx32atomic1:i386 (>= 4.8.5-4ubuntu2) but it is not going to be installed
Depends: libx32asan0:i386 (>= 4.8.5-4ubuntu2) but it is not going to be installed
Depends: libx32quadmath0:i386 (>= 4.8.5-4ubuntu2) but it is not going to be installed
lib64gcc-4.9-dev:i386 : Depends: libx32gcc1:i386 (>= 1:4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32gomp1:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32itm1:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32atomic1:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32asan1:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32ubsan0:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32cilkrts5:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
Depends: libx32quadmath0:i386 (>= 4.9.3-13ubuntu2) but it is not going to be installed
lib64gcc-5-dev:i386 : Depends: libx32gcc1:i386 (>= 1:5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32gomp1:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32itm1:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32atomic1:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32asan2:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32ubsan0:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32cilkrts5:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
Depends: libx32quadmath0:i386 (>= 5.4.0-6ubuntu1~16.04.12) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.尝试再次安装:# apt-get install gcc ##注意这次没有加y,竟然安装成功了,以下是过程:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libaio1 libevent-core-2.0-5 libhtml-template-perl libnuma1 linux-headers-4.4.0-116 linux-headers-4.4.0-116-generic
linux-image-4.4.0-116-generic linux-image-extra-4.4.0-116-generic mysql-client-5.7 mysql-client-core-5.7 mysql-common mysql-server-core-5.7
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
cpp cpp-5 gcc-5 libasan2 libatomic1 libc-dev-bin libc6-dev libcc1-0 libcilkrts5 libgcc-5-dev libgomp1 libisl15 libitm1 liblsan0 libmpc3
libmpx0 libquadmath0 libtsan0 libubsan0 linux-libc-dev manpages manpages-dev
Suggested packages:
cpp-doc gcc-5-locales gcc-multilib autoconf automake libtool flex bison gdb gcc-doc gcc-5-multilib gcc-5-doc libgcc1-dbg libgomp1-dbg
libitm1-dbg libatomic1-dbg libasan2-dbg liblsan0-dbg libtsan0-dbg libubsan0-dbg libcilkrts5-dbg libmpx0-dbg libquadmath0-dbg glibc-doc
man-browser
The following NEW packages will be installed:
cpp cpp-5 gcc gcc-5 libasan2 libatomic1 libc-dev-bin libc6-dev libcc1-0 libcilkrts5 libgcc-5-dev libgomp1 libisl15 libitm1 liblsan0 libmpc3
libmpx0 libquadmath0 libtsan0 libubsan0 linux-libc-dev manpages manpages-dev
0 upgraded, 23 newly installed, 0 to remove and 80 not upgraded.
Need to get 26.4 MB of archives.
After this operation, 87.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 libmpc3 amd64 1.0.3-1 [39.7 kB]
Get:2 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 manpages all 4.04-2 [1,087 kB]
Get:3 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 libisl15 amd64 0.16.1-1 [524 kB]
Get:4 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 cpp-5 amd64 5.4.0-6ubuntu1~16.04.12 [7,783 kB]
Get:5 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 cpp amd64 4:5.3.1-1ubuntu1 [27.7 kB]
Get:6 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libcc1-0 amd64 5.4.0-6ubuntu1~16.04.12 [38.8 kB]
Get:7 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libgomp1 amd64 5.4.0-6ubuntu1~16.04.12 [55.2 kB]
Get:8 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libitm1 amd64 5.4.0-6ubuntu1~16.04.12 [27.4 kB]
Get:9 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libatomic1 amd64 5.4.0-6ubuntu1~16.04.12 [8,892 B]
Get:10 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libasan2 amd64 5.4.0-6ubuntu1~16.04.12 [265 kB]
Get:11 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 liblsan0 amd64 5.4.0-6ubuntu1~16.04.12 [105 kB]
Get:12 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libtsan0 amd64 5.4.0-6ubuntu1~16.04.12 [244 kB]
Get:13 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libubsan0 amd64 5.4.0-6ubuntu1~16.04.12 [95.3 kB]
Get:14 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libcilkrts5 amd64 5.4.0-6ubuntu1~16.04.12 [40.0 kB]
Get:15 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libmpx0 amd64 5.4.0-6ubuntu1~16.04.12 [9,762 B]
Get:16 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libquadmath0 amd64 5.4.0-6ubuntu1~16.04.12 [131 kB]
Get:17 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 libgcc-5-dev amd64 5.4.0-6ubuntu1~16.04.12 [2,239 kB]
Get:18 http://cn.archive.ubuntu.com/ubuntu xenial-security/main amd64 gcc-5 amd64 5.4.0-6ubuntu1~16.04.12 [8,612 kB]
Get:19 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 gcc amd64 4:5.3.1-1ubuntu1 [5,244 B]
Get:20 http://cn.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libc-dev-bin amd64 2.23-0ubuntu11 [68.5 kB]
Get:21 http://cn.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 linux-libc-dev amd64 4.4.0-170.199 [839 kB]
Get:22 http://cn.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libc6-dev amd64 2.23-0ubuntu11 [2,086 kB]
Get:23 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 manpages-dev all 4.04-2 [2,048 kB]
Fetched 26.4 MB in 38s (692 kB/s)
Selecting previously unselected package libmpc3:amd64.
(Reading database ... 143579 files and directories currently installed.)
Preparing to unpack .../libmpc3_1.0.3-1_amd64.deb ...
Unpacking libmpc3:amd64 (1.0.3-1) ...
Selecting previously unselected package manpages.
Preparing to unpack .../manpages_4.04-2_all.deb ...
Unpacking manpages (4.04-2) ...
Selecting previously unselected package libisl15:amd64.
Preparing to unpack .../libisl15_0.16.1-1_amd64.deb ...
Unpacking libisl15:amd64 (0.16.1-1) ...
Selecting previously unselected package cpp-5.
Preparing to unpack .../cpp-5_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking cpp-5 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package cpp.
Preparing to unpack .../cpp_4%3a5.3.1-1ubuntu1_amd64.deb ...
Unpacking cpp (4:5.3.1-1ubuntu1) ...
Selecting previously unselected package libcc1-0:amd64.
Preparing to unpack .../libcc1-0_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libcc1-0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libgomp1:amd64.
Preparing to unpack .../libgomp1_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libgomp1:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libitm1:amd64.
Preparing to unpack .../libitm1_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libitm1:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libatomic1:amd64.
Preparing to unpack .../libatomic1_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libatomic1:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libasan2:amd64.
Preparing to unpack .../libasan2_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libasan2:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package liblsan0:amd64.
Preparing to unpack .../liblsan0_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking liblsan0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libtsan0:amd64.
Preparing to unpack .../libtsan0_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libtsan0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libubsan0:amd64.
Preparing to unpack .../libubsan0_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libubsan0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libcilkrts5:amd64.
Preparing to unpack .../libcilkrts5_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libcilkrts5:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libmpx0:amd64.
Preparing to unpack .../libmpx0_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libmpx0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libquadmath0:amd64.
Preparing to unpack .../libquadmath0_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libquadmath0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package libgcc-5-dev:amd64.
Preparing to unpack .../libgcc-5-dev_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking libgcc-5-dev:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package gcc-5.
Preparing to unpack .../gcc-5_5.4.0-6ubuntu1~16.04.12_amd64.deb ...
Unpacking gcc-5 (5.4.0-6ubuntu1~16.04.12) ...
Selecting previously unselected package gcc.
Preparing to unpack .../gcc_4%3a5.3.1-1ubuntu1_amd64.deb ...
Unpacking gcc (4:5.3.1-1ubuntu1) ...
Selecting previously unselected package libc-dev-bin.
Preparing to unpack .../libc-dev-bin_2.23-0ubuntu11_amd64.deb ...
Unpacking libc-dev-bin (2.23-0ubuntu11) ...
Selecting previously unselected package linux-libc-dev:amd64.
Preparing to unpack .../linux-libc-dev_4.4.0-170.199_amd64.deb ...
Unpacking linux-libc-dev:amd64 (4.4.0-170.199) ...
Selecting previously unselected package libc6-dev:amd64.
Preparing to unpack .../libc6-dev_2.23-0ubuntu11_amd64.deb ...
Unpacking libc6-dev:amd64 (2.23-0ubuntu11) ...
Selecting previously unselected package manpages-dev.
Preparing to unpack .../manpages-dev_4.04-2_all.deb ...
Unpacking manpages-dev (4.04-2) ...
Processing triggers for libc-bin (2.23-0ubuntu11) ...
Setting up libmpc3:amd64 (1.0.3-1) ...
Setting up manpages (4.04-2) ...
Setting up libisl15:amd64 (0.16.1-1) ...
Setting up cpp-5 (5.4.0-6ubuntu1~16.04.12) ...
Setting up cpp (4:5.3.1-1ubuntu1) ...
Setting up libcc1-0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libgomp1:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libitm1:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libatomic1:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libasan2:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up liblsan0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libtsan0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libubsan0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libcilkrts5:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libmpx0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libquadmath0:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up libgcc-5-dev:amd64 (5.4.0-6ubuntu1~16.04.12) ...
Setting up gcc-5 (5.4.0-6ubuntu1~16.04.12) ...
Setting up gcc (4:5.3.1-1ubuntu1) ...
Setting up libc-dev-bin (2.23-0ubuntu11) ...
Setting up linux-libc-dev:amd64 (4.4.0-170.199) ...
Setting up libc6-dev:amd64 (2.23-0ubuntu11) ...
Setting up manpages-dev (4.04-2) ...
Processing triggers for libc-bin (2.23-0ubuntu11) ...检查gcc版本及gcc命令是否存在:
检查系统版本,本计划更新apt源地址:
参考:https://wiki.ubuntu.org.cn/%E6%A8%A1%E6%9D%BF:16.04source安装完成gcc再次编译:make
编译完成后安装:make install
验证:openssl version时报错:
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
这是由于openssl库的位置不正确造成的。可以做一个软连接:
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib/
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib/
按如下执行:
root@:/usr/local# find /usr/local/ -iname libssl.so.1.1
/usr/local/openssl-1.1.1d/libssl.so.1.1
/usr/local/lib/libssl.so.1.1
root@:/usr/local# ll /usr/local/lib/libssl.so.1.1
-rwxr-xr-x 1 root root 693392 Nov 21 11:34 /usr/local/lib/libssl.so.1.1*
root@i:/usr/local# ln -s /usr/local/lib/libssl.so.1.1 /usr/lib
root@:/usr/local# find /usr/local/ -iname libcrypto.so.1.1
/usr/local/openssl-1.1.1d/libcrypto.so.1.1
/usr/local/lib/libcrypto.so.1.1
root@:/usr/local# ls /usr/local/lib/libcrypto.so.1.1
/usr/local/lib/libcrypto.so.1.1
root@/usr/local# ll /usr/local/lib/libcrypto.so.1.1
-rwxr-xr-x 1 root root 3398936 Nov 21 11:34 /usr/local/lib/libcrypto.so.1.1*
root@:/usr/local# ln -s /usr/local/lib/libcrypto.so.1.1
root@:/usr/local# ln -s /usr/local/lib/libcrypto.so.1.1 /usr/lib
root@:/usr/local# openssl version
OpenSSL 1.1.1d 10 Sep 2019 ##升级成功3、备份当前openssl:
mv /usr/local/openssl /usr/local/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
如果你的openssl默认安装:
进入/etc/apparmor.d/abstraction备份:mv openssl openssl.1.0.2g
进入/usr/bin/openssl备份:mv openssl openssl.1.0.2g
另外查到/usr/lib/python3/dist-packages/cryptography/hazmat/backends/也有openssl文件,该目录下有以下文件,主要备份改文件,是系统调用的库脚本:
backend.py ciphers.py cmac.py dsa.py ec.py hashes.py hmac.py init.py pycache rsa.py utils.py x509.py
还有/usr/local/share/doc/openssl改目录下为openssl的帮助文件,不用备份。
如果适合rpm安装,可参照如下:
rpm -Uvh openssl-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm
#centos8
rpm -Uvh openssl-1.1.1g-12.el8_3.x86_64.rpm openssl-devel-1.1.1g-12.el8_3.x86_64.rpm openssl-libs-1.1.1g-12.el8_3.x86_64.rpm4、配置使用新版本:
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
或者根据自己现场实际:
cp /usr/local/bin/openssl /etc/apparmor.d/abstractions/
cp /usr/local/bin/openssl /usr/bin
5、更新动态链接库数据:
echo “/usr/local/ssl/lib” >> /etc/ld.so.conf
ls /usr/local/ssl/
certs/ ct_log_list.cnf.dist openssl.cnf private/
ct_log_list.cnf misc/ openssl.cnf.dist
cat /etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/usr/bin/python/lib
/usr/local/ssl/lib ##追加之后的重新加载动态链接库
ldconfig -v
6、重新查看版本号:
#openssl version
OpenSSL 1.1.1d 10 Sep 2019
至此,openssl升级到1.1.1 长期维护版LTS成功完成。
三、windows版报SSl漏洞修复
1)SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)
SSL/TLS协议是一个被广泛使用的加密协议,Bar Mitzvah攻击实际上是利用了"不变性漏洞",这是RC4算法中的一个缺陷,它能够在某些情况下泄露SSL/TLS加密流量中的密文,从而将账户用户名密码,信用卡数据和其他敏感信息泄露给黑客。
临时处理:
1)完全关闭 Chrome 浏览器和Mozilla Firefox浏览器
2)复制一个平时打开 Chrome 浏览器(Mozilla Firefox浏览器)的快捷方式
3)在新的快捷方式上右键点击,进入属性
4)在「目标」后面的空格中字段的末尾输入以下命令 --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
2)SSL/TLS RC4 信息泄露漏洞(CVE-2013-2566)
安全套接层(Secure Sockets Layer,SSL),一种安全协议,是网景公司(Netscape)在推出Web浏览器首版的同时提出的,目的是为网络通信提供安全及数据完整性。SSL在传输层对网络连接进行加密。传输层安全(Transport Layer Security),IETF对SSL协议标准化(RFC 2246)后的产物,与SSL 3.0差异很小。
SSL/TLS内使用的RC4算法存在单字节偏差安全漏洞,可允许远程攻击者通过分析统计使用的大量相同的明文会话,利用此漏洞恢复纯文本信息
建议处理办法,采用最新的SSL/TLS协议v1.2
SSL/TLS 系列中有五种协议:SSL v2,SSL v3,TLS v1.0,TLS v1.1和TLS v1.2,SSL v2 是不安全的,不能使用。当与 HTTP(POODLE 攻击)一起使用时,SSL v3 也是不安全的,且其他协议一起使用时,SSL v3 也是弱的,不安全;TLS v1.0 协议现在很多网站还在用,但因其资深存在安全风险,相关安全评级机构,认为该协议采用并非是安全的做法,相应会调低评级,建议不采用;而TLS v1.1 和 v1.2 都没有已知的安全问题,但只有 v1.2 提供了现代的加密算法,它是唯一提供现代认证加密(也称为 AEAD)的版本。TLS1.3也已经发布,可考虑使用。
【处理措施】:
1)window禁用默认的ssl2.0和ssl3.0,只启用tls1.2以保证安全,有2种途径,借助工具或修改注册表:
1>介质IISCrypto工具
下载地址:https://www.nartac.com/Products/IISCrypto/Download
安装完成打开之后,是这样的:
上图中,取消勾选其他协议,只保留TLS 1.2,完成后点击apply,会提示服务器重启;
重启后验证:
检测网址可参考以下两种:
http://s.tool.chinaz.com/https?url=www.apizl.com //可换成www.gorg.com.它安全评级更高
https://myssl.com/www.apizl.com:443?status=success 在不只用TLS1.2之前,检测结果如下:
评分说明:
站长工具里还给出了一些测试的网页:
配置完重启主机之后再次检测:
下图取沟SSL 2.0
检测结果里,不清楚为啥PCI DSS不合规,相关资料表明:这是由于PCI安全标准委员会规定2018年6月30日之后,开启TLS1.0将导致PCI DSS不合规。难道是因为本地没禁用TLS1.0成功?
在myssl网站监测结果里也显示网站支持:
服务器侧处理措施:
①打开nginx服务器配置文件中SSL.conf文件
②找到ssl_protocols TLSv1 TLSv1.1 TLSv1.2;改为ssl_protocols TLSv1.1 TLSv1.2; //禁用TLS1.0
③重启服务器,搞定!
但客户端测应该怎么改呢?
附:ATS不合规处理办法
可能原因:openssl版本支持低,不兼容或支持YLS1.2导致检测不通过
yum update openssl* -y //有时也需要升级nginx版本
修改Nginx配置:
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
另外,在myssl网站监测结果里,列出了哪些浏览器不支持TLS1.2和TLS1.3。
四、openssl升级脚本
#!/bin/bash
ssl_ver=`openssl version|awk '{print $1"-"$2}'`
BackupDir=/tmp/sshd_backup_`date +%Y%m%d`
PatchLog=$BackupDir/ssh_ssl_upgrage.log
function _echo () {
local info=$*
echo -e "\e[1;33m ${info} \e[0m" |tee -a $PatchLog
}
function runcheck()
{
if [ "`id -u`" -ne 0 ]
then
echo -e "\033[31m"$0:this script must be run as root!" \033[0m"
exit 1
elif [ "`uname -p`" != "x86_64" ]
then
echo -e "\033[31m"$0:this script must be run on x86_64!" \033[0m"
exit 1
else
mkdir -p $BackupDir >>/dev/null
fi
}
#yum
function pkginstall()
{
_echo "# `date +%F-%X` install base pkg......"
yum install libXt-devel imake libSM libICE zlib-devel pam-devel -y>> /dev/null && sleep 5
_echo "# `date +%F-%X` install base pkg done."
}
#wget
function rpmdonw()
{
mkdir /tmp/updatessh >/dev/null
cd /tmp/updatessh
#wget https://www.openssl.org/source/openssl-3.0.3.tar.gz >> /dev/null && _echo "# `date +%F-%X` openssl-3.0.3.tar.gz download sucess."
wget https://www.openssl.org/source/openssl-1.1.1o.tar.gz >> /dev/null && _echo "# `date +%F-%X` openssl-1.1.1o.tar.gz download sucess."
if [ $? -eq 0 ]
then
tar -xzvf openssl-1.1.1o.tar.gz
else
echo -e "\033[31m"openssl-1.1.1o.tar.gz download faild,pls check!" \033[0m"
exit 1
fi
}
#OpenSSL
function install_openssl()
{
_echo "# `date +%F-%X` uninstall $ssl_ver......"
rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps
_echo "# `date +%F-%X` install openssl-1.1.1o......"
rpm -Uvh openssl* --nodeps
cp /etc/ld.so.conf /etc/ld.so.conf.bak
sed -i '/openssl/d' /etc/ld.so.conf
#sed -i 's/openssl-1.1.1o/openssl/g' /etc/ld.so.conf
echo "/usr/local/openssl/lib">> /etc/ld.so.conf
ldconfig
_echo "# `date +%F-%X` openssl-1.1.1k upgrade done......"
_echo "# `date +%F-%X` Curren version:"
openssl version|tee -a $PatchLog
}
#OpenSSH
function install_openssh()
{
_echo "------------------------------------------"
_echo "# `date +%F-%X` Stop sshd......"
systemctl stop sshd
_echo "# `date +%F-%X` backup /etc/pam.d/sshd......"
cp /etc/pam.d/sshd /tmp/sshd_backup_`date +%Y%m%d`
_echo "# `date +%F-%X` /etc/ssh/sshd_config......"
cp /etc/ssh/sshd_config /tmp/sshd_backup_`date +%Y%m%d`
_echo "# `date +%F-%X` uninstall openssh......"
rpm -e `rpm -qa | grep openssh` --nodeps
_echo "# `date +%F-%X` install openssh-8.6p1......"
rpm -Uvh openssh* --nodeps
_echo "# `date +%F-%X` chmod 600 /etc/ssh/*......"
chmod 600 /etc/ssh/*
_echo "# `date +%F-%X` recover /etc/pam.d/sshd......"
\cp /tmp/sshd_backup_`date +%Y%m%d`/sshd /etc/pam.d/sshd
_echo "# `date +%F-%X` recover /etc/ssh/sshd_config......"
\cp /tmp/sshd_backup_`date +%Y%m%d`/sshd_config /etc/ssh/sshd_config
_echo "# `date +%F-%X` restart sshd......"
systemctl restart sshd
_echo "# `date +%F-%X` openssh-8.6p1 upgrade done......"
_echo "# `date +%F-%X` Curren version:"
ssh -V|tee -a $PatchLog
_echo "# `date +%F-%X` openssh && openssl update sucess!"
}
rpmclear()
{
rm -rf /tmp/updatessh/* >/dev/null && _echo "# `date +%F-%X` clear /tmp/updatessh/ done."
}
main()
{
runcheck
pkginstall
rpmdonw
install_openssl
install_openssh
rpmclear
}
main更多参看:OPENSSL 3.0迁移手册, OpenSSL cryptographic library说明,Vulnerabilities风险说明
五、OpenSSL1.1.1 rpm包制作
源码包:https://www.openssl.org/source/openssl-1.1.1o.tar.gz
在opt目录下创建封包脚本并授权:chmod 755 install-openssl_1.1.1o.sh
#!/bin/bash
set -e
set -v
mkdir ~/openssl && cd ~/openssl
yum -y install \
curl \
which \
make \
gcc \
perl \
perl-WWW-Curl \
rpm-build
# Get openssl tarball
cp /root/openssl-1.1.1o.tar.gz ./
# SPEC file
cat << 'EOF' > ~/openssl/openssl.spec
Summary: OpenSSL 1.1.1o for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1o}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/openssl
%description
OpenSSL RPM for version 1.1.1o on Centos
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1o on Centos (development package)
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
EOF
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec
mv openssl-1.1.1o.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS && \
rpmbuild \
-D "version 1.1.1i" \
-ba openssl.spec
# Before Uninstall Openssl : rpm -qa openssl
# Uninstall Current Openssl Vesion : yum -y remove openssl
# For install: rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1o-1.el7.x86_64.rpm --nodeps
# Verify install: rpm -qa openssl
# openssl version完成后执行:./install-openssl_1.1.1o.sh进行编译打包。完成后用rpm包安装:
rpm -aq | grep openssl --查询当前openssl版本
yum -y remove openssl --移除当前版本
rpm -ivh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1o-1.el7.x86_64.rpm --nodeps --安装新版openssl
openssl version --确认是否升级成功
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
