새로운 Paypal 보안 표준에 맞도록 OpenSuse 11.4 서버에서 openssl 라이브러리를 업그레이드하려고합니다 ( https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US ) .
이전에는이 openssl 버전을 설치했습니다.
openssl version
OpenSSL 1.0.0c 2 Dec 2010
업데이트를 확인했습니다.
zypper update openssl
Loading repository data...
Warning: Repository 'Updates for openSUSE 11.4 11.4-0' appears to outdated. Consider using a different mirror or server.
Reading installed packages...
No update candidate for 'openssl-1.0.0c-18.42.1.x86_64'. The highest available version is already installed.
Resolving package dependencies...
zypper가 새로운 openssl 버전을 찾을 수 없으므로 Evergreen 저장소를 추가했습니다.
sudo zypper ar --refresh -r http://download.opensuse.org/evergreen/11.4/openSUSE:Evergreen:11.4.repo
Adding repository 'Evergreen update repository for openSUSE 11.4 (standard)' [done]
Repository 'Evergreen update repository for openSUSE 11.4 (standard)' successfully added
Enabled: Yes
Autorefresh: Yes
URI: http://download.opensuse.org/repositories/openSUSE:/Evergreen:/11.4/standard/
그런 다음 리포지토리를 새로 고쳤습니다.
zypper refresh
Repository 'Updates for openSUSE 11.4 11.4-0' is up to date.
Retrieving repository 'Evergreen update repository for openSUSE 11.4 (standard)' metadata [\]
New repository or package signing key received:
Key ID: 241B84B36A0F1588
Key Name: openSUSE:Evergreen OBS Project <openSUSE:Evergreen@build.opensuse.org>
Key Fingerprint: D25EAF514D59C654B9BCE005241B84B36A0F1588
Key Created: Fri 15 May 2015 03:33:05 PM CEST
Key Expires: Sun 23 Jul 2017 03:33:05 PM CEST
Repository: Evergreen update repository for openSUSE 11.4 (standard)
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): a
Retrieving repository 'Evergreen update repository for openSUSE 11.4 (standard)' metadata [done]
Building repository 'Evergreen update repository for openSUSE 11.4 (standard)' cache [done]
Repository 'openSUSE-11.4-Non-Oss' is up to date.
Repository 'openSUSE-11.4-Oss' is up to date.
All repositories have been refreshed.
마지막으로 openssl 업데이트 :
zypper update openssl
Loading repository data...
Warning: Repository 'Updates for openSUSE 11.4 11.4-0' appears to outdated. Consider using a different mirror or server.
Warning: Repository 'Evergreen update repository for openSUSE 11.4 (standard)' appears to outdated. Consider using a different mirror or server.
Reading installed packages...
Resolving package dependencies...
The following package is going to be upgraded:
openssl
1 package to upgrade.
Overall download size: 541.0 KiB. After the operation, additional 77.0 KiB will be used.
Continue? [y/n/?] (y): y
Retrieving package openssl-1.0.1p-74.1.x86_64 (1/1), 541.0 KiB (1.3 MiB unpacked)
Retrieving: openssl-1.0.1p-74.1.x86_64.rpm [done (844.4 KiB/s)]
Installing: openssl-1.0.1p-74.1 [done]
아파치를 다시 시작했습니다.
/etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork)
그리고 Paypal을 준수하는지 확인하십시오.
php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch)); var_dump(curl_error($ch));'
bool(false)
string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 "
openssl 버전에 “(라이브러리 : OpenSSL 1.0.0c 2010 년 12 월 2 일)”이 표시됩니다.
openssl version -a
OpenSSL 1.0.1p 9 Jul 2015 (Library: OpenSSL 1.0.0c 2 Dec 2010)
built on: 2012-05-23 05:01:20.000000000 +0000
platform: linux-x86_64
options: bn(64,64) rc4(1x,char) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -Wa,--noexecstack -fomit-frame-pointer -fno-strict-aliasing -DTERMIO -DPURIFY -Wall -fstack-protector -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/etc/ssl"
openssl이 업데이트되었지만 여전히 이전 1.0.0 라이브러리를 사용하고있는 것 같습니다 … 시스템이 최신 2016 Paypal 보안 표준을 준수하도록이 문제를 해결하는 방법에 대한 아이디어가 있습니까?
답변
문제는 Apache 설치가 새 OpenSSL 설치의 공유 라이브러리를 연결할 수 없다는 것입니다. 명령을 실행하십시오 ldd /usr/local/apache/modules/mod_ssl.so
(mod_ssl.so의 적절한 경로와 함께). mod_ssl.so가 라이브러리에 링크되어 있지 않다는 것을 알 수 있습니다./usr/local/ssl/lib
문제를 해결하기위한 몇 가지 옵션이 있습니다.
옵션 # 1-라이브러리의 링크 :
/etc/ld.so.conf.d/local.conf
편집을 위해 열고 다음 행을 추가하십시오./usr/local/openssl/lib
Apache를 다시 컴파일하고 (기억하십시오 make clean
) 작동해야합니다.
그래도 작동하지 않으면 명령을 사용 하여 LDFLAGS
직접 지정할 수도 있습니다 configure
.
LDFLAGS=-L/usr/local/ssl/lib \ ./configure --with-included-apr --prefix=/usr/local/apache2 --enable-so
--enable-rewrite --with-ssl=/usr/local/ssl --enable-ssl=shared
--enable-deflate --enable-expires --enable-headers
옵션 # 2-시스템 OpenSSL을 업그레이드하십시오.
구성 줄을 사용하여 OpenSSL을 다시 설치하십시오. ./config --prefix=/usr --openssldir=/usr/local/openssl shared
구성 줄에 접두사가 지정되지 않은 경우 OpenSSL 설치 관리자는 기본적으로로 설정됩니다 /usr/local/ssl
.
빠른 설치 지침 :
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
tar -zxf openssl-1.0.2*
cd openssl-1.0.2*
./config --prefix=/usr --openssldir=/usr/local/openssl shared
make
make test
make install