Apache server OpenSSL upgrade

OpenSSL Painstaking efforts and loopholes made a lot of noise . At first , The company has several rds The small business machine of was notified to repair OpenSSL Loophole , These machines are separate small businesses , It stopped , Find a simple document and upgrade it OK（ There are plenty of them nginx, There are plenty of them resin）. After the repair is completed, restart the service OK.

The main business of the company also has a general entrance machine （LVS Hold on 2 platform ）, Because this machine is very important ,13 There was a repair in OpenSSL There have been problems with the vulnerability of ,（ Old machine , Have the intention of changing the environment ）, So I'm worried this time . But last week, a customer service suddenly reported that there was a problem with the browser alert business when customers browse local services , As a result, the problem had to be solved immediately （ upgrade OpenSSL）.

--------------------------------------------------------------------------------

Environment view and detection

PS：Apache compiled $homedir/build/config.nice The file records the previously compiled parameters .

"./configure" \

"--with-ldap" \

"--enable-mods-shared=all ssl ldap cache proxy authn_alias file_cache authnz_ldap charset_lite dav_lock cache_disk" \

"--with-included-apr" \

"--with-ssl=/usr/local/openssl/" （ For the first time, something went wrong here ）\

"[email protected]"

Then use website detection after recompiling , Or continue to report the existence OpenSSL Loophole ..（ It started with 360. Then I feel that I have been cheated by him , Then I found a website .）

https://lastpass.com/heartbleed  ( Because this is an afterthought article , So I took a friend's website to demonstrate , His problem is the same .)

Then I knew something in an instant .

It's here 2 A question

-with-ssl=/usr/local/openssl/ It's old OpenSSL The path of .

When a new path is specified ,Apache Report errors .（ Because this is an error report after the event, the information is not recorded . It looks something like this ： The lack of apr-util Dependent related ldap.so**** You compile apr-util When he was young, he didn't rely on ldap Compile it ）

got . Don't go around , Just start the right process .

One 、 install OpenSSL

Upgrade steps

0. First, through #openssl version –a Check the existing in the system OpenSSL Version number

1. adopt #wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz Get source code package

2. install openssl

tar xf openssl-1.0.1g.tar.gz

cd openssl-1.0.1g

./config -DOPENSSL_NO_HEARTBEATS shared zlib

make

make install

mv /usr/bin/openssl /usr/bin/openssl.OFF

mv /usr/include/openssl /usr/include/openssl.OFF

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

3 Configuration library file search path

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

#ldconfig -v

4 see openssl Version number , Verify installation correctness

#openssl version -a

You can see the newly installed version .

-DOPENSSL_NO_HEARTBEATS （ Prohibit heartbeat information ）

Two 、 Compilation and installation apr apr-util

Special attention , I'll go straight to the bottom yum install ldap Related components , The reason is that the final compilation Apache Will depend on apr-util Inside ldap library , So compile apr-util You also need to specify .

yum install apr apr-devel apr-util apr-util-devel apr-util-ldap  ( This is to solve apr-util rely on ladp The problem of , Because I can't find which library is missing )

tar xf apr-1.4.6.tar.bz2

cd apr-1.4.6

./configure --prefix=/usr/local/apr

make && make install

cd ..

tar xf apr-util-1.5.2.tar.bz2

cd apr-util-1.5.2

 ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr --with-ldap

 make && make install

3、 ... and 、 Compilation and installation Apache

$ tar xf httpd-2.4.4.tar.bz2

$ cd httpd-2.4.4

$ ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy authn_alias file_cache authnz_ldap charset_lite dav_lock cache_disk" --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-ssl=/usr/local/ssl/ ( We need to pay attention to ssl The path to this place )

$ make && make install

Finally added

Before the operation, I did not compress to back up Apache Original document （ The log is also typed in ）.

I'll make it mv In the past , And then finally Delete from the compiled directory conf htdocs logs Three directories , Then these three directories in the backed up Directory mv To come over . The most convenient （ Of course you can copy logs The directory structure of is OK ）

--------------------------------------------------------------------------------

Probably what needs attention is ldap Rely on the .

Among them, I'm compiling nginx  OpenSSL upgrade When , One is also recompiled , It seems that environmental factors （ It's been too long ）, At compile time , Directly designated OpenSSL Source file , Give Way nginx Will need OpenSSL Some of the dependent libraries of are recompiled .

It is recommended to upgrade the online environment , Test in the test environment , Then make it rpm package , Then go straight online install. If the local has its own yum Environmental Science , That's even better .