<div class="blogpost-body" id="cnblogs_post_body">
<p>升级openssl</p>
<p> </p>
<p>依赖openssl的软件,如果是静态编译openssl,那么需要重新编译软件,如果是利用openssl的so动态库,那么只需要替换一下so文件并重启软件即可</p>
<p>openssh也依赖openssl</p>
<p> </p>
<p>参考文章</p>
<p>http://www.111cn.net/sys/CentOS/61326.htm</p>
<p>http://bguncle.blog.51cto.com/3184079/1392870/</p>
<p>http://www.cnblogs.com/doomsword/p/3654131.html</p>
<p>http://baike.baidu.com/link?url=-JPAJup4lhmkzO__PjR9IeyHzJ46WjSHYQQSxaQYOxnjc2DVrkzJHRV5M56vhFgiif7Ir_-9spu2mgj8VtMXMq</p>
<p> </p>
<p>今天用rkhunter检测了一下服务器,检测结果报:openssl版本太低</p>
<p># grep -i OpenSSL /var/log/rkhunter.log<br>[13:43:50] Checking for string '/usr/include/openssl' [ Not found ]<br>[13:44:11] Checking version of OpenSSL [ Warning ]<br>[13:44:11] Warning: Application 'openssl', version '1.0.1e', is<span style="color:#ff0000;"><strong> out of date</strong></span>, and possibly a security risk.</p>
<p> </p>
<p>ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl 静态编译用 静态库<br>ln -s /usr/local/ssl/lib/libssl.so /usr/local/lib64/libssl.so 动态编译用 动态库</p>
<p> </p>
<div class="cnblogs_code">
<pre class="blockcode">strings /usr/lib64/libssl.so.<span style="color:#800080;">10</span> |<span style="color:#0000ff;">grep</span> -<span style="color:#000000;">i openssl
OpenSSLDie
OPENSSL_cleanse
OPENSSL_DIR_read
OPENSSL_DIR_end
OPENSSL_init_library
OPENSSL_1.</span><span style="color:#800080;">0.1</span><span style="color:#000000;">
OPENSSL_1.</span><span style="color:#800080;">0</span><span style="color:#000000;">.1_EC
SSLv2 part of OpenSSL </span><span style="color:#800080;">1.0</span>.1e-fips <span style="color:#800080;">11</span> Feb <span style="color:#800080;">2013</span><span style="color:#000000;">
SSLv3 part of OpenSSL </span><span style="color:#800080;">1.0</span>.1e-fips <span style="color:#800080;">11</span> Feb <span style="color:#800080;">2013</span><span style="color:#000000;">
TLSv1 part of OpenSSL </span><span style="color:#800080;">1.0</span>.1e-fips <span style="color:#800080;">11</span> Feb <span style="color:#800080;">2013</span><span style="color:#000000;"><strong>
DTLSv1 part of OpenSSL</strong> </span><span style="color:#800080;">1.0</span>.1e-fips <span style="color:#800080;">11</span> Feb <span style="color:#800080;">2013</span><span style="color:#000000;">
OpenSSL </span><span style="color:#800080;">1.0</span>.1e-fips <span style="color:#800080;">11</span> Feb <span style="color:#800080;">2013</span></pre>
</div>
<p> </p>
<p><br><br><br></p>
<div class="cnblogs_code">
<pre class="blockcode">rpm -<span style="color:#000000;">ql openssl
</span>/usr/bin/<span style="color:#000000;">openssl
</span>/usr/lib64/libcrypto.so.<span style="color:#800080;">1.0</span><span style="color:#000000;">.1e
</span>/usr/lib64/libcrypto.so.<span style="color:#800080;">10</span>
<strong>/usr/lib64/libssl.so.</strong><span style="color:#800080;">1.0</span><span style="color:#000000;">.1e
</span>/usr/lib64/libssl.so.<span style="color:#800080;">10</span>
/usr/lib64/openssl</pre>
</div>
<p> </p>
<p> </p>
<p> </p>
<p>http://baike.baidu.com/link?url=-JPAJup4lhmkzO__PjR9IeyHzJ46WjSHYQQSxaQYOxnjc2DVrkzJHRV5M56vhFgiif7Ir_-9spu2mgj8VtMXMq<br>Heartbleed漏洞之所以得名,是因为用于.</p>
<p>安全传输层协议(TLS)及</p>
<p>数据包传输层安全协议(DTLS)</p>
<p>的 Heartbeat扩展存在漏洞。</p>
<p>Heartbeat扩展为TLS/DTLS提供了一种新的简便的连接保持方式,但由于OpenSSL 1.0.2-beta与OpenSSL 1.0.1在处理TLS heartbeat扩展时的边界错误,</p>
<p>攻击者可以利用漏洞披露连接的客户端或服务器的存储器内容,导致攻击者不仅可以读取其中机密的加密数据,还能盗走用于加密的密钥<br><br><br>受影响的OpenSSL版本:<br>最后更新于2014年4月9日,据Heartbleed和OpenSSL网站上的信息。[8] <br>受影响:<br>OpenSSL 1.0.2-beta[8] <br>OpenSSL 1.0.1 - OpenSSL 1.0.1f[8] <br>除非针对CVE-2014-0160的操作系统补丁已经安装,而没有更改库版本,如Debian、Red Hat Enterprise Linux(及其派生版,如CentOS、Amazon Linux)或Ubuntu(及其派生版,如Linux Mint)。<br>不受影响:<br>OpenSSL 1.0.2-beta2(将来版本)[8] <br><span style="color:#ff0000;"><strong>OpenSSL 1.0.1g[8]</strong> </span><br>OpenSSL 1.0.0(及1.0.0的分支版本)[8] <br>OpenSSL 0.9.8(及0.9.8的分支版本)[8] <br>要解决此漏洞,建议服务器管理员或使用1.0.1g版,或<span style="color:#ff0000;"><strong>使用-DOPENSSL_NO_HEARTBEATS选项重新编译OpenSSL</strong></span>,从而禁用易受攻击的功能,直至可以更新服务器软件。[8] .<br>单独应用这个补丁并不能修复漏洞。还必须重新启动相关服务和/或重启服务器,这样修补过的OpenSSL才能被应用,然后重新生成所有的私钥和密码。[8] </p>
<p> </p>
<hr>
<div class="cnblogs_code">
<pre class="blockco |
|
转播
