redhat linux openssl upgrade

출처 : http://dangersouls.blogspot.kr/2014/04/openssl-heartbleed-bug.html?showComment=1398743117496

 

 

You can check if your site is affected here: http://filippo.io/Heartbleed/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

For cpanel users also this is affected. They also need to upgrade ssl.

My current SSL version:

bash-4.1# openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010

When upgrading one thing you have to make sure is that the 
“OPENSSLDIR” and the “options” must be the same. No issues if the newer 
version have more options but the existing options are must.


So let’s upgrade. 

Install  ”Axivo” repo.

-bash-4.1# rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Retrieving http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Preparing... ########################################### [100%]
 1:axivo-release ########################################### [100%]
-bash-4.1# yum --enablerepo=axivo update openssl
Thats it. Now check the openssl version again.
root@bash [~]# openssl version
OpenSSL 1.0.1g 7 Apr 2014




After updating opensssl to 1.0.1g, kill all apache process and restart both apache and openssh.
Then you are safe. check the site status again.
 
-----------------------------------------------------------
if you can't install :
-bash-4.1# yum --enablerepo=axivo update openssl --skip-broken
 
 
if you can't install :
-bash-4.1# yum --enablerepo=axivo update --skip-broken