升级OpenSSL是为了解决SSL/TLS协议信息泄露漏洞(CVE-2016-2183)
1、安装依赖
yum install -y wget rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs2、编写打包脚本
vim rpm-openssl_1.1.1k.sh
#!/bin/bash
set -e
set -v
mkdir ~/openssl && cd ~/openssl
yum -y install \
curl \
which \
make \
gcc \
perl \
perl-WWW-Curl \
rpm-build
yum -y remove openssl
# Get openssl tarball
curl -O --silent https://www.openssl.org/source/openssl-1.1.1k.tar.gz
# SPEC file
cat << 'EOF' > ~/openssl/openssl.spec
Summary: OpenSSL 1.1.1k for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1k}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
# openssldir 可以自行更改
%global openssldir /usr/local/openssl
%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 1.1.1k on Centos
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1k on Centos (development package)
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
EOF
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec
mv openssl-1.1.1k.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS && \
rpmbuild \
-D "version 1.1.1k" \
-ba openssl.spec
# For install: rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install: rpm -qa openssl
# openssl version
构建完成后界面打印以下内容:
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64
写道:/root/rpmbuild/SRPMS/openssl-1.1.1k-1.el7.src.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-devel-1.1.1k-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-debuginfo-1.1.1k-1.el7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.CdyqOD
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssl-1.1.1k
+ '[' /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64 '!=' / ']'
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64
+ exit 0
# For install: rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install: rpm -qa openssl
# openssl version3、升级OpenSSL
卸载旧版,注意openssl-libs不能卸载
rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps安装新版,确定要安装的包
cd /root/rpmbuild/RPMS/x86_64/
cp openssl* ~/openssl
cd ~/openssl
rm -rf openssl-debuginfo-1.1.1k-1.el7.x86_64.rpm开始安装
[root@localhost openssl]# rpm -Uvh *.rpm --nodeps
准备中... ################################# [100%]
正在升级/安装...
1:openssl-1.1.1k-1.el7 ################################# [ 50%]
2:openssl-devel-1.1.1k-1.el7 ################################# [100%]
[root@localhost openssl]# openssl version
OpenSSL 1.1.1k 25 Mar 2021© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容