OpenSSL 1.1.1 版本已经达到了其生命周期(EOL)的尾声。 根据 OpenSSL 官方的声明,OpenSSL 1.1.1
版本将在 2023 年 9 月 11 日停止支持,届时它将不再收到公开的安全修复程序。 这意味着如果您继续使用 OpenSSL 1.1.1
版本,您的数据安全将面临巨大的风险
文章目录
- 一、 升级准备
- 二、升级openssl
- 三、升级openssh
- 四、报错问题处理
- 4.1 Failed to set locale, defaulting to C.UTF-8
- 4.2 ssh: symbol lookup error: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
- 4.3 openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
- 4.4 crypto/comp/c_zlib.c:27:11: fatal error: zlib.h: No such file or directory # include <zlib.h>
- 4.5 configure: error: PAM headers not found
- 4.6 PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/subdirectory
- 4.7 It is required that your private key files are NOT accessible by others.This private key will be ignored.sshd: no hostkeys available -- exiting.make: [Makefile:385: check-config] Error 1 (ignored)
一、 升级准备
1.1 、下载升级包
1. rhel8.5: Red Hat Enterprise Linux release 8.5 (Ootpa)
2. OpenSSL:OpenSSL 3.2.0 23 Nov 2023
https://www.openssl.org/source
https://ftp.openssl.org/source3. OpenSSH:
1.2、配置本地yum仓库
[AppStream] name = AppStream enabled = yes baseurl = file:///media/cdrom/AppStream gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [BaseOS] name = BaseOS enabled = yes baseurl = file:///media/cdrom/BaseOS/ gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
1.3安装telnet
yum install telnet* -y
systemctl start telnet.socket
systemctl enable telnet.socket
mv /etc/securetty /etc/securetty.bak
二、升级openssl
OpenSSL 1.1.1k >>> 1.1.1w
2.1备份
cp /usr/bin/openssl{,.bak} cp /usr/include/openssl{,.bak} ldd /usr/local/bin/openssl|awk '{print $3}'|xargs -i cp {}{,.bak}
2.2安装依赖
gcc --version;rpm -qa pcre;yum list installed | grep zlib*;perl -version yum -y install perl-IPC-Cmd perl-Pod-Html yum -y install gcc gcc-c++ zlib pcre
2.3编译安装openssl
tar -xvf openssl-1.1.1w.tar cd openssl-1.1.1w ./config --prefix=/usr/local/openssl --openssldir=/usr/local/ssl threads zlib shared enable-camellia #–openssldir=OPENSSLDIR:安装目录,默认是 /usr/local/ssl #–prefix=安装目录,设置 lib include bin 目录的前缀,默认为 OPENSSLDIR 目录 #–shared /no-shared:是否生成动态连接库 #threads/no-threads : 是否编译支持多线程的库。默认支持 #zlib | zlib-dynamic | no-zlib : 使用静态的zlib压缩库 | 使用动态的zlib压缩库 | 不使用zlib压缩功能 #enable-camellia 算法 make clean make test make && make install
2.4解决版本号与库版本不一致问题
a.添加软连接
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
b.添加动态库的环境变量,使用vi 或 vim 打开 /etc/ld.so.conf 文件
>echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
>/sbin/ldconfig
注意:openssl-3.0.12 的目录则为:/usr/local/ssl/lib64
2.4备份:依赖库
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.1.0.2k.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
cp /usr/lib64/libssl.so.1.0.2k /usr/lib64/libssl.so.1.0.2k.old
2.5卸载openssl
whereis openssl
#输出结果为openssl: /usr/lib64/openssl /usr/include/openssl
mv /usr/bin/openssl /usr/bin/openssl.old
mv /etc/ssl /etc/ssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old
yum remove openssl
2.6安装openssl
./config --prefix=/usr
make && make install
whereis openssl
#输出结果为openssl: /usr/bin/openssl /usr/lib64/openssl.old /usr/include/openssl /usr/share/man/man1/openssl.1ossl
openssl version
#输出结果为OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
三、升级openssh
mkdir /tmp/update-openssh && cd /tmp/update-openssh
3.1备份
#备份ssh
mv /etc/ssh /etc/ssh.bak
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak
3.2卸载
#卸载openssh
rpm -qa|grep openssh
yum remove openssh
3.3 安装
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam -with-ssl-dir=/usr/local/lib64
#开始make
make
#如果make执行失败可以使用make clean
#开始make install
make install
3.4 修改配置
cp contrib/redhat/sshd.init /etc/init.d/sshd
cp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
echo "KexAlgorithms +diffie-hellman-group1-sha1">>/etc/ssh/sshd_config
echo "PermitRootLogin yes">>/etc/ssh/sshd_config
echo "PubkeyAuthentication yes">>/etc/ssh/sshd_config
chkconfig sshd on
chkconfig --add sshd
systemctl enable sshd
systemctl restart sshd
ssh -V
四、报错问题处理
4.1 Failed to set locale, defaulting to C.UTF-8
解决方法
echo "export LC_ALL=en_US.UTF8" >> /etc/profile
source /etc/profile
4.2 ssh: symbol lookup error: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
解决方法
4.3 openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
解决方法
ln -s /usr/local/openssl/lib/libssl.so.3 /usr/lib/libssl.so.3
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/openssl/lib/libcrypto.so.3 /usr/lib/libcrypto.so.3
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
4.4 crypto/comp/c_zlib.c:27:11: fatal error: zlib.h: No such file or directory # include <zlib.h>
解决方法
yum -y install zlib-devel
4.5 configure: error: PAM headers not found
解决方法
yum -y install pam-devel
4.6 PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/subdirectory
4.7 It is required that your private key files are NOT accessible by others.This private key will be ignored.sshd: no hostkeys available – exiting.make: [Makefile:385: check-config] Error 1 (ignored)
解决方法
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key