文章目录
问题描述Centos7 下 OpenSSL 升级到 OpenSSL 3.0问题描述
TLS(Transport Layer Security,安全传输层协议)是一套用于在两个通信应用程序之间提供保密性和数据完整性的协议。
TLS协议1.2及之前版本中存在安全漏洞。当服务器启用DHE_EXPORT密码套件时,程序未能正确传递DHE_EXPORT选项。攻击者可通过重写ClientHello(使用DHE_EXPORT取代DHE),然后重写ServerHello(使用DHE取代DHE_EXPORT),利用该漏洞实施中间人攻击和cipher-downgrade攻击。
Centos7 下 OpenSSL 升级到 OpenSSL 3.0
# 查看当前服务器 openssl版本> openssl versionOpenSSL 1.0.2k-fips 26 Jan # 查看Openssl路径> which openssl/bin/openssl# OpenSSL下载地址 /source/> wget --no-check-certificate /source/openssl-3.0.0.tar.gz# 安装OpenSSL> tar -zxvf openssl-3.0.0.tar.gz> cd openssl-3.0.0> ./config shared zlibConfiguring OpenSSL version 3.0.0 for target linux-x86_64Using os-specific seed configurationCreating configdata.pmRunning configdata.pmCreating Makefile.inCreating Makefile************************************************************************* ****** OpenSSL has been successfully configured ****** ****** If you encounter a problem while building, please open an ****** issue on GitHub </openssl/openssl/issues> ****** and include the output from the following command: ****** ****** perl configdata.pm --dump ****** ****** (If you are new to OpenSSL, you might want to consult the ****** 'Troubleshooting' section in the INSTALL.md file first)****** *************************************************************************> makemake[1]: Leaving directory `/mnt/packages/openssl-3.0.0'> make install# 备份当前Openssl> mv /usr/bin/openssl /usr/bin/openssl.old> mv /usr/lib64/openssl /usr/lib64/openssl.old# 使用新版Openssl> ln -s /usr/local/bin/openssl /usr/bin/openssl> ln -s /usr/local/include/openssl/ /usr/include/openssl# 更新动态链接库数据> echo "/usr/local/lib/" >> /etc/ld.so.conf> echo "/usr/local/lib64/" >> /etc/ld.so.conf# 重新加载动态链接库> ldconfig -v# 查看安装完成后的最新版本> openssl versionOpenSSL 3.0.0 7 sep (Library: OpenSSL 3.0.0 7 sep )> openssl version –aOpenSSL 3.0.0 7 sep (Library: OpenSSL 3.0.0 7 sep )built on: Wed Nov 10 04:10:53 UTCplatform: linux-x86_64options: bn(64,64)compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUGOPENSSLDIR: "/usr/local/ssl"ENGINESDIR: "/usr/local/lib64/engines-3"MODULESDIR: "/usr/local/lib64/ossl-modules"Seeding source: os-specificCPUINFO: OPENSSL_ia32cap=0x8001479bfffd:0x0
