Upgrading / installing OpenSSL 1.0.0d from source on CentOS 5.5
Hey all,
I find my self abit stuck upgrading OpenSSL to the latest version. The situation is that i've been running LAMP servers just fine by installing the web services from the repositories AND the web services from source. However im now in the process of making a PCI-DSS compliant server LAMP server. I've just had the vulnerability scan report back and its failed due to the OpenSSL having vulnerabilities and it tells me I must upgraded to version higher 1.0.0d. I've basically spent hours and hours trying to get this working along with research but I dont seem to be having much luck with this one, so any help on the following methods i'm using is much appreciated. Im using a fresh install of CentOS and trying to create a RPM using the source code and rpmbuild, I read this was the best way I read, and this is my first time using rpmbuild. Code:
yum -y install rpm-build make gcc gcc-c++ perl mlocate Code:
error: Failed dependencies: Code:
rpm -Uvh /usr/src/redhat/RPMS/x86_64/openssl-1.0.0d-1.x86_64.rpm --nodeps But my problem is now that yum is broken, along with wget and probably anything else that uses OpenSSL. When I do yum update, I get the following error: Code:
Traceback (most recent call last): |
Hi, welcome to LQ!
The better approach would have been to wait for RedHat/Centos to provide you with an updated version (alternatively take care of compiling ALL dependent libs and executables yourself, having marked the new version of SSL in their respective *.specs as the one they really want to depend on). Cheers, Tink |
1 Attachment(s)
My approch is completely different.
If you want your server PCI-compliant you should really think in advance. You can not wait for Centos (or any distro) to release proper versions, you will need to update faster than that. Believe me, my job is to make sure all of a company's servers are PCI-compliant highest level so I really know what I'm talking about. My advice to you is to compile all software needed manually, and in non-original directories. Suggestion: create a partition for all this software, mount under /myapps (or whatever you like). For a LAMP-server that means compiling openssl, mysql, apache (well, webserver of your choice), php and pcre (pcre may not be necessary but it definitely is if you want mod_security which you might not want now but it will make your life easier having it. A little hard to learn but worth the effort. Plan for it - compile pcre, it's very easily done.) Beware of install-order: Openssl first, then you compile all other programs against that version. This means you do not need to replace systems Openssl which - as you have noticed - breaks pretty much everything. Second advice is that you make scripts to handle the compiling. This makes it so much easier when you need to upgrade an application - and upgrades will be necessary pretty often, believ me! To help you along I attach my script for compiling mysql. (And just out of curiosity, why do you want PCI? Business reasons or just for the fun of it?) Good luck, just return if you need more help! Oh yes, your broken system: try reinstalling original openssl with yum, hopefully it helps. If it doesn't, maybe you can install same version of Centos on some other 'puter and copy over necessary files (I think they all are under /etc/openssl but not sure, you have to check!) Last resort is reinstall... |
Quote:
how many architectures are you looking after? Cheers, Tink |
Yes I cant wait for the releases to be updated by CentOS. Once a vulnerability is discovered its essential its fixed asap.
I do currently have all my web services (MySQL, Apache, PHP) compiled from source and up to date as it is, they all work fine. I was getting on fine with compiling OpenSSL from source and then compiling against that, but this didnt change the version number when I did # openssl version, I though this would still be an issue when I do the next vulnerability scan, is this not the case? Will the scan only care about what version of OpenSSL Apache and PHP are using? My yum is screwed from installing the RPM I built from source, I'm currently doing all this on a cloud environment server anyway, so its not a bother to just reinstall CentOS ;) Oh and currently its for business reasons. Thanks for your help, i'll go back to just compiling OpenSSL from source and then compiling Apache and PHP along side that if its not going to be an issue using 2 versions of OpenSSL on a system. |
So now im trying to compile apache with mod_ssl and openssl-1.0.0d but I dont seem to be having much luck with that either. All the info I seem to find around is geared towards compiling Apache 1.3.x and when I change it around for to the following
Code:
./configure \ Code:
Configuring mod_ssl/2.8.30 for Apache/1.3.39 |
Code:
--with-apache=/usr/local/src/httpd-2.2.19/ \ != /usr/local/apache/ structure that makes sure the "new" versions don't get in the way of the distro maintained ones. I built some apps that are newer than RHEL ones and placed them (w/ their respective OpenSSL) under /opt, without adding them to the ld.so.conf. Cheers, Tink |
I'm now going with the method of placing everything in a separate place.
Everything 'seems' to be going OK apart from OpenSSL still. Im getting an error of: Code:
The output of /opt/apache/bin/apxs follows: Code:
./configure --prefix=/opt/php --with-apxs2=/opt/apache/bin/apxs --with-mysql=/opt/mysql --with-mysqli=/opt/mysql/bin/mysql_config --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr --enable-exif --enable-ftp --with-zlib-dir=/opt/zlib --enable-gd-native-ttf --enable-calendar --enable-mbstring --with-curl=/opt/curl --with-mcrypt=/opt/mcrypt --with-openssl=/opt/openssl/ --without-pear I'm using the config of Code:
./config shared --prefix=/opt/openssl --openssldir=/opt/openssl -fPIC Code:
libssl.a relocation R_X86_64_32 against a local symbol can not be used when making a shared object; recompile with "-fPIC" |
I remember this, had the same problem on one server recently.
Thing is, for some reason openssl-1.0.0d has to be compiled with "./config shared", and then the "--prefix" & "--openssldir" are ignored. One way to fix it is to find where openssl is installed and use that path when configuring apache et al. (In my case (SLES11) openssl was installed in /usr/local/openssl with source in /usr/local/src/) Another way, and what I did, is after running ./config, edit Makefile and change INSTALLTOP= and OPENSSLDIR= to where you want openssl installed. And to answer an earlier question: Quote:
|
Quote:
What I think you're after is: "How can I rule out all distros without actually trying them? Do I really know enough of at least the major 20 distros?" Answer is simple: If you need PCI then you must have complete control. It doesn't matter what distro / OS you are running, you simply can't just trust their maintainers to release updated version of a package the day after it is released. There can always be a delay, and if you don't get a green scan regularly you lose your certification. So my conclusion is not based on how fast distro X or distro Y updates their packages, it is based upon the need of control. It is based upon the fact that even if distro is updated fast enough in 99% of the cases, that 1% might cause me to lose PCI certification, which would be a disaster for the company! |
Quote:
Assume you had 800 instances, spread over three hardware platforms and several versions of the OS that come w/ it. Assume that 0-day exploit gets noticed while you are asleep. Just putting it out there. Cheers, Tink |
I managed to get this working now! I needed the following:
Code:
echo "/opt/openssl/lib" >> /etc/ld.so.conf |
All times are GMT -5. The time now is 08:12 AM. |