openssl升级

需要部署nginx的https环境，之前是yum安装的openssl，版本比较低，如下：

[root@nginx ~]# yum install -y pcre pcre-devel openssl openssl-devel gcc
[root@nginx ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Mar 22 21:43:28 UTC 2017
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

下载openSSL最新版本进行重新编译，安装步骤如下：

[root@nginx ~]# tar -zvxf openssl-1.1.1a.tar.gz
[root@nginx ~]# cd openssl-1.1.1a
[root@nginx openssl-1.1.1a]# ./config shared zlib
[root@nginx openssl-1.1.1a]# make
[root@nginx openssl-1.1.1a]# make install
 
 
[root@nginx openssl-1.1.1a]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@nginx openssl-1.1.1a]# mv /usr/include/openssl /usr/include/openssl.bak
 
[root@nginx openssl-1.1.1a]#  find / -name openssl
/etc/pki/ca-trust/extracted/openssl
/data/software/nginx-1.12.2/auto/lib/openssl
/data/software/openssl-1.1.1a/apps/openssl
/data/software/openssl-1.1.1a/include/openssl
/usr/lib64/openssl
/usr/local/share/doc/openssl
/usr/local/include/openssl
/usr/local/bin/openssl
/usr/include/openssl
/usr/bin/openssl
 
#建立openssl 的软路由
[root@nginx openssl-1.1.1a]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@nginx openssl-1.1.1a]# ln -s /usr/local/include/openssl /usr/include/openssl
 
查看libssl的目录
[root@external-lb01 ~]# find / -name "libssl*"
/data/software/openssl-1.1.1a/libssl.pc
/data/software/openssl-1.1.1a/libssl.so
/data/software/openssl-1.1.1a/libssl.a
/data/software/openssl-1.1.1a/libssl.so.1.1
/data/software/openssl-1.1.1a/util/libssl.num
/usr/lib64/libssl3.so
/usr/lib64/pkgconfig/libssl.pc
/usr/lib64/libssl.so.1.0.1e
/usr/lib64/libssl.so
/usr/lib64/libssl.so.10
/usr/local/lib64/libssl.a
/usr/local/lib64/pkgconfig/libssl.pc
/usr/local/lib64/libssl.so
/usr/local/lib64/libssl.so.1.1
 
[root@nginx openssl-1.1.1a]# echo "/usr/local/lib64/" >> /etc/ld.so.conf
[root@nginx openssl-1.1.1a]# ldconfig
 
[root@nginx openssl-1.1.1a]# openssl version -a
OpenSSL 1.1.1a  20 Nov 2018
built on: Sun Jan  6 07:53:13 2019 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
Seeding source: os-specific

#为适应NGINX编译需要设置参数
#需要修改openss路径，不然会出现找不到openssl目录的问题
[root@external-lb01 nginx-1.12.2]# cd auto/lib/openssl
[root@external-lb01 openssl]# cp conf /mnt/
[root@external-lb01 openssl]# vim conf
将
            CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
            CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
            CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
            CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
            CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改为
            CORE_INCS="$CORE_INCS $OPENSSL/include"
            CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
            CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
            CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
            CORE_LIBS="$CORE_LIBS $NGX_LIBDL"

#建立libssl.a和libcrypto.a的软连接，
[root@external-lb01 nginx-1.12.2]# mkdir /usr/local/ssl/lib
[root@external-lb01 nginx-1.12.2]# ln -s /usr/local/lib64/libssl.a /usr/local/ssl/lib/libssl.a
[root@external-lb01 nginx-1.12.2]# ln -s /usr/local/lib64/libcrypto.a /usr/local/ssl/lib/libcrypto.a
 
#建立建立软连接openssl安卓后，/usr/local/ssl/下没有include路径，用重新指向
 [root@localhost ssl]#  ln -s /usr/include/ /usr/local/ssl/include
 [root@localhost ssl]# ll
 total 48
 drwxr-xr-x 2 root root  4096 Jan  6 15:55 certs
 -rw-r--r-- 1 root root   414 Jan  6 15:55 ct_log_list.cnf
 -rw-r--r-- 1 root root   414 Jan  6 15:55 ct_log_list.cnf.dist
  lrwxrwxrwx 1 root root    13 Jan  6 16:18 include -> /usr/include/
  drwxr-xr-x 2 root root  4096 Jan  6 16:11 lib
  drwxr-xr-x 2 root root  4096 Jan  6 15:55 misc
  -rw-r--r-- 1 root root 10911 Jan  6 15:55 openssl.cnf
  -rw-r--r-- 1 root root 10911 Jan  6 15:55 openssl.cnf.dist
  drwxr-xr-x 2 root root  4096 Jan  6 15:55 private
  重新编译就可以了，编译完成后替换原有的NGINX执行文件就结束了

openssl升级

你可能感兴趣的:(openssl升级)