最近漏洞扫描发现很多问题,故而升级apache,并且安装新版的openssl,并且这个openssl和系统的不冲突
一 安装需要的包 以及环境
环境:centos7.6 openssl 版本
[[email protected] ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
安装所需的包
yum -y install gcc* expat-devel
二 安装apache需要的最新的其他包 apr apr-util pcre
cd /usr/local/src tar xf apr-1.7.0.tar.gz cd apr-1.7.0/ ./configure --prefix=/usr/local/apr make && make install cd .. tar xf apr-util-1.6.1.tar.gz cd apr-util-1.6.1/ ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr make && make install cd .. tar xf pcre-8.43.tar.gz cd pcre-8.43/ ./configure --prefix=/usr/local/pcre make && make install cd .. tar xf openssl-1.1.1c.tar.gz cd openssl-1.1.1c/ ./config --prefix=/usr/local/ssl --shared make && make install echo "/usr/local/ssl/lib" >>/etc/ld.so.conf ldconfig #使库文件生效
三 安装apache
cd .. tar xf httpd-2.4.41.tar.gz cd httpd-2.4.41/ ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre --enable-so --enable-rewrite --enable-ssl --with-ssl=/usr/local/ssl --with-mpm=prefork make && make install
四 简单修改配置启动
vim /usr/local/httpd/conf/httpd.conf ServerName localhost:80 /usr/local/httpd/bin/apachectl start
五 配置https访问
#私钥 /usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024 #生成服务器证书请求 openssl req -new -key server.key -out server.csr #自签证 [[email protected] conf]# /usr/local/ssl/bin/openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.crt Signature ok subject=C = CN, ST = beijing, L = beijing, O = lenovo.com, OU = IT, CN = liullm7 Getting Private key Enter pass phrase for server.key: vim httpd.conf Include conf/extra/httpd-ssl.conf #httpd-ssl.conf文件里面的两个密钥名称serve.crt server.key LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 去除私钥短语,启动的时候就不用输入了 [[email protected] conf]# /usr/local/ssl/bin/openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key /usr/local/httpd/bin/apachectl restart
六查看openssl的情况
[[email protected] ~]# /usr/local/ssl/bin/openssl version -a OpenSSL 1.1.1c 28 May 2019 built on: Thu Aug 22 15:33:35 2019 UTC platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG OPENSSLDIR: "/usr/local/ssl/ssl" ENGINESDIR: "/usr/local/ssl/lib/engines-1.1" Seeding source: os-specific [[email protected] ~]# openssl version -a OpenSSL 1.0.2k-fips 26 Jan 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic
原文地址:https://www.cnblogs.com/mmyy-blog/p/11408442.html