[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞
http://bbotte.blog.51cto.com/6205307/1394174/
CentOS 6.4 64位
查看当前的ssl版本
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M02/23/F0/wKioL1NHlCKDs-XNAABtnN5qlWg241.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
|
1
2
|
[[email protected] ~]# ssh -VOpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
|
升级openssl
升级前请关闭selinux
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
yum install zlib zlib-devel krb5-devel.x86_64 -ywget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr/local/ssl shared zlib-dynamic enable-camellia -DOPENSSL_NO_HEARTBEATS #添加 -DOPENSSL_NO_HEARTBEATS 选项
makemake installopenssl versionmv /usr/bin/openssl /usr/bin/openssl.oldmv /usr/include/openssl /usr/include/opensslold
ln -s /usr/local/ssl/bin/openssl /usr/bin/opensslln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
echo "/usr/local/ssl/lib/" >> /etc/ld.so.conf
ldconfig -v|grep sslopenssl version |
升级后截图
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M02/23/F1/wKioL1NHlQaTQUT6AAFuF4hymj0125.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
|
1
|
openssl version -a |
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M00/23/FD/wKiom1NJ5-qSdAZOAAJohlHNn50204.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
为什么升级openssh,因为用xshell或者SecureCRT等终端连接服务器是用ssh,现在查看ssh所用openssl所用的版本还是这样的
|
1
2
|
[[email protected] ~]# ssh -VOpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
|
验证:
# rpm -qa openssl
openssl-1.0.1e-16.el6_5.14.x86_64
# rpm -q --changelog openssl-1.0.1e | grep CVE-2014-0160
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
说明漏洞已经修复
升级 openssh (编译时候请按文章最下面,添加--with-kerberos5=/usr/lib64/libkrb5.so 参数编译,不然会出现下面的问题)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
yum install pam*tar -xzf openssh-6.6p1.tar.gz
cd openssh-6.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man
makemake install ssh -VOpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
service sshd restart停止 sshd: [确定]正在启动 sshd: [确定] |
升级完成后打开新的终端连接
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M00/23/F1/wKioL1NHlnvSWbDuAABtcceg0LI320.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
升级完成
当执行service sshd restart 的时候有错误提示
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M01/23/F1/wKioL1NHmiXCPdA1AAFDC0JjI4s175.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
vim /etc/ssh/sshd_config 把81和83行注释
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M01/23/F1/wKiom1NHmnXBtZwPAAC9Kn_mGC8279.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
再执行就没问题了
|
1
2
3
|
service sshd restartStopping sshd: [ OK ]Starting sshd: [ OK ] |
附:
Unsupported option GSSAPIAuthentication 和 Unsupported option GSSAPICleanupCredentials
这两个认证机制的解决方法:
|
1
2
3
4
5
|
service sshd restartStopping sshd: [ OK ]Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
[ OK ]
|
在编译openssh-6.6p1的时候把kerberos5的选项指定,即添加选项 --with-kerberos5=/usr/lib64/libkrb5.so 就不会出现问题
|
1
|
[[email protected] openssh-6.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so
|
下面是sshd_config的配置文件,认证不受影响的,重启sshd服务也没问题
vim /etc/ssh/sshd_config
![[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞](http://s3.51cto.com/wyfs02/M00/23/F4/wKioL1NHta3R6jUjAAFn0jZBtQY308.jpg "[转载]openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞")
上述的代码
升级前关闭selinux
升级ssl,ssh
yum install zlib zlib-devel -y
yum install krb5-devel.x86_64 -y
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr/local/ssl shared zlib-dynamic enable-camellia -DOPENSSL_NO_HEARTBEATS
make
make install
openssl version
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/opensslold
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
echo "/usr/local/ssl/lib/" >>/etc/ld.so.conf
ldconfig -v|grep ssl
openssl version
cd ..
wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
yum install pam* -y
tar -xzf openssh-6.6p1.tar.gz
cd openssh-6.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so
make
make install
ssh -V
cd ..