2014년 Heartbleed 버그 조치, OpenSSL 컴파일 설치

(Heartbleed 버그 조치에서 넘어옴)
Ubuntu Heartbleed 버그 조치
우분투 Heartbleed 버그 해결
OpenSSL 패치, 최신버전 설치
OpenSSL 컴파일 설치

1 확인[ | ]

root@Ubuntu01:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014
HeartBleed 취약 버전[1]이다.

2 새버전 다운로드[ | ]

root@Ubuntu01:~# wget https://www.openssl.org/syntaxhighlight/openssl-1.0.2h.tar.gz --no-check-certificate
--2016-06-10 13:31:36--  https://www.openssl.org/syntaxhighlight/openssl-1.0.2h.tar.gz
Resolving www.openssl.org (www.openssl.org)... 194.97.150.234, 2001:608:c00:180::1:ea
Connecting to www.openssl.org (www.openssl.org)|194.97.150.234|:443... connected.
WARNING: cannot verify www.openssl.org's certificate, issued by ‘/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 5274412 (5.0M) [application/x-gzip]
Saving to: ‘openssl-1.0.2h.tar.gz’

100%[==================================>] 5,274,412   26.1KB/s   in 4m 35s 

2016-06-10 13:36:10 (18.7 KB/s) - ‘openssl-1.0.2h.tar.gz’ saved [5274412/5274412]

3 기존버전 제거[ | ]

root@Ubuntu01:~# apt-get autoremove --purge openssl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  ca-certificates* landscape-common* linux-headers-3.13.0-24*
  linux-headers-3.13.0-24-generic* linux-image-3.13.0-24-generic*
  linux-image-extra-3.13.0-24-generic* openssl* python-requests*
  software-properties-common* ssh-import-id*
0 upgraded, 0 newly installed, 10 to remove and 0 not upgraded.
After this operation, 272 MB disk space will be freed.
Do you want to continue? [Y/n]
... (생략)
Removing ca-certificates (20160104ubuntu0.14.04.1) ...
Removing dangling symlinks from /etc/ssl/certs... done.
Purging configuration files for ca-certificates (20160104ubuntu0.14.04.1) ...
Removing dangling symlinks from /etc/ssl/certs... done.
Removing openssl (1.0.1f-1ubuntu2.18) ...
Purging configuration files for openssl (1.0.1f-1ubuntu2.18) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...

4 apt-get 업데이트[ | ]

root@Ubuntu01:~# apt-get update
... (생략)
Get:47 http://security.ubuntu.com precise-security/restricted Translation-en [1,253 B]
Get:48 http://security.ubuntu.com precise-security/universe Translation-en [56.7 kB]
Fetched 10.8 MB in 6s (1,696 kB/s)                             
Reading package lists... Done

5 gcc, make, libssl-dev 설치[ | ]

root@Ubuntu01:~# apt-get install gcc make libssl-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  python-urllib3
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  binutils cpp cpp-4.8 gcc-4.8 gcc-4.8-base libasan0 libatomic1 libc-dev-bin
  libc6 libc6-dev libcloog-isl4 libgcc-4.8-dev libgmp10 libgomp1 libisl10
  libitm1 libmpc3 libmpfr4 libquadmath0 libssl-doc libssl1.0.0 libstdc++6
  libtsan0 linux-libc-dev manpages-dev zlib1g-dev
Suggested packages:
  binutils-doc cpp-doc gcc-4.8-locales gcc-multilib autoconf automake1.9
  libtool flex bison gdb gcc-doc gcc-4.8-multilib gcc-4.8-doc libgcc1-dbg
  libgomp1-dbg libitm1-dbg libatomic1-dbg libasan0-dbg libtsan0-dbg
  libquadmath0-dbg glibc-doc make-doc
The following NEW packages will be installed:
  binutils cpp cpp-4.8 gcc gcc-4.8 libasan0 libatomic1 libc-dev-bin libc6-dev
  libcloog-isl4 libgcc-4.8-dev libgmp10 libgomp1 libisl10 libitm1 libmpc3
  libmpfr4 libquadmath0 libssl-dev libssl-doc libtsan0 linux-libc-dev make
  manpages-dev zlib1g-dev
The following packages will be upgraded:
  gcc-4.8-base libc6 libssl1.0.0 libstdc++6
4 upgraded, 25 newly installed, 0 to remove and 41 not upgraded.
Need to get 27.5 MB of archives.
After this operation, 79.2 MB of additional disk space will be used.
Do you want to continue? [Y/n]
... (생략)
Setting up libssl-doc (1.0.1f-1ubuntu2.19) ...
Setting up make (3.81-8.2ubuntu3) ...
Setting up manpages-dev (3.54-1ubuntu1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.7) ...

6 새버전 설치[ | ]

root@Ubuntu01:~# tar xvfz openssl-1.0.2h.tar.gz 
... (생략)
openssl-1.0.2h/VMS/ucx_shr_vaxc.opt
openssl-1.0.2h/VMS/VMSify-conf.pl
openssl-1.0.2h/VMS/WISHLIST.TXT
root@Ubuntu01:~# cd openssl-1.0.2h/
root@Ubuntu01:~/openssl-1.0.2h# ./config
... (생략)
jpaketest.c => dummytest.c
make[1]: Leaving directory `/root/openssl-1.0.2h/test'

Configured for linux-x86_64.

*** Because of configuration changes, you MUST do the following before
*** building:

	make depend
root@Ubuntu01:~/openssl-1.0.2h# make depend
... (생략)
making depend in tools...
make[1]: Entering directory `/root/openssl-1.0.2h/tools'
make[1]: Nothing to be done for `depend'.
make[1]: Leaving directory `/root/openssl-1.0.2h/tools'
root@Ubuntu01:~/openssl-1.0.2h# make test
... (생략)
SSLv2 CONF test: PASSED
make[1]: Leaving directory `/root/openssl-1.0.2h/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.2h  3 May 2016
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"
root@Ubuntu01:~/openssl-1.0.2h# make install
... (생략)
installing libcrypto.a
installing libssl.a
cp libcrypto.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/openssl.pc

7 확인 2[ | ]

root@Ubuntu01:~/openssl-1.0.2h# openssl version
-su: /usr/bin/openssl: No such file or directory
→ 컴파일 설치했기 때문에 openssl /usr/bin/ 대신 /usr/local/ssl/bin/에 있다.
root@Ubuntu01:~/openssl-1.0.2h# /usr/local/ssl/bin/openssl version
OpenSSL 1.0.2h  3 May 2016
→ HeartBleed 문제가 해결된 안전한 최신버전으로 바뀌었다.

8 심볼릭 링크 생성[ | ]

기존에 /usr/bin/openssl 를 사용하는 스크립트나 프로그램이 있다면 문제가 발생할 수 있으니 심볼릭 링크를 만들어 주자.

root@Ubuntu01:~/openssl-1.0.2h# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
root@Ubuntu01:~/openssl-1.0.2h# openssl version
OpenSSL 1.0.2h  3 May 2016

9 같이 보기[ | ]

10 참고[ | ]

  1. OpenSSL 1.0.2-beta, OpenSSL 1.0.1 ~ 1.0.1f
문서 댓글 ({{ doc_comments.length }})
{{ comment.name }} {{ comment.created | snstime }}