问题描述
TLS(Transport Layer Security,安全传输层协议)是一套用于在两个通信应用程序之间提供保密性和数据完整性的协议。
TLS协议1.2及之前版本中存在安全漏洞。当服务器启用DHE_EXPORT密码套件时,程序未能正确传递DHE_EXPORT选项。攻击者可通过重写ClientHello(使用DHE_EXPORT取代DHE),然后重写ServerHello(使用DHE取代DHE_EXPORT),利用该漏洞实施中间人攻击和cipher-downgrade攻击。
Centos7 下 OpenSSL 升级到 OpenSSL 3.0
# 查看当前服务器 openssl版本
> openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
# 查看Openssl路径
> which openssl
/bin/openssl
# OpenSSL下载地址 https://www.openssl.org/source/
> wget --no-check-certificate https://www.openssl.org/source/openssl-3.0.0.tar.gz
# 安装OpenSSL
> tar -zxvf openssl-3.0.0.tar.gz
> cd openssl-3.0.0
> ./config shared zlib
Configuring OpenSSL version 3.0.0 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
> make
make[1]: Leaving directory `/mnt/packages/openssl-3.0.0'
> make install
# 备份当前Openssl
> mv /usr/bin/openssl /usr/bin/openssl.old
> mv /usr/lib64/openssl /usr/lib64/openssl.old
# 使用新版Openssl
> ln -s /usr/local/bin/openssl /usr/bin/openssl
> ln -s /usr/local/include/openssl/ /usr/include/openssl
# 更新动态链接库数据
> echo "/usr/local/lib/" >> /etc/ld.so.conf
> echo "/usr/local/lib64/" >> /etc/ld.so.conf
# 重新加载动态链接库
> ldconfig -v
# 查看安装完成后的最新版本
> openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
> openssl version –a
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
built on: Wed Nov 10 04:10:53 2021 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-3"
MODULESDIR: "/usr/local/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x80202001479bfffd:0x0