OpenSSL 是一个开源的软件套件,它可以为应用程序提供安全通信的功能,例如加密、解密、数字签名、证书管理等。OpenSSL 在互联网上广泛使用,例如 HTTPS、SSH、VPN、电子邮件等协议都依赖于 OpenSSL 来保护数据的机密性和完整性。
查看centos7默认的openssl版本
[root@cent7z ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 [root@cent7z ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [root@cent7z ~]# which openssl /usr/bin/openssl复制
编译安装openssl1.1.1
1、依赖下载
yum install -y perl-IPC-Cmd yum install -y zlib zlib-devel openssl-devel sqlite-devel bzip2-devel libffi libffi-devel gcc gcc-c++复制
2、备份
[root@cent7z ~]# mkdir openssl_bak [root@cent7z ~]# cp /usr/bin/openssl openssl_bak/openssl_bak [root@cent7z ~]# cp -a /usr/include/openssl openssl_bak/复制
3、openssl1.1.1tar包下载、解压、编译安装
[root@cent7z opt]# wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz --no-check-certificate --2024-02-28 03:52:59-- https://www.openssl.org/source/openssl-1.1.1w.tar.gz Resolving www.openssl.org (www.openssl.org)... 34.36.58.177, 2600:1901:0:1812:: Connecting to www.openssl.org (www.openssl.org)|34.36.58.177|:443... connected. WARNING: cannot verify www.openssl.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. HTTP request sent, awaiting response... 200 OK Length: 9893384 (9.4M) [application/x-tar] Saving to: ‘openssl-1.1.1w.tar.gz’ 100%[============================================================================================>] 9,893,384 3.14MB/s in 3.0s 2024-02-28 03:53:03 (3.14 MB/s) - ‘openssl-1.1.1w.tar.gz’ saved [9893384/9893384] [root@cent7z openssl-1.1.1w]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl Operating system: x86_64-whatever-linux2 Configuring OpenSSL version 1.1.1w (0x1010117fL) for linux-x86_64 Using os-specific seed configuration Creating configdata.pm Creating Makefile ********************************************************************** *** *** *** OpenSSL has been successfully configured *** *** *** *** If you encounter a problem while building, please open an *** *** issue on GitHub <https://github.com/openssl/openssl/issues> *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (If you are new to OpenSSL, you might want to consult the *** *** 'Troubleshooting' section in the INSTALL file first) *** *** *** ********************************************************************** [root@cent7z openssl-1.1.1w]# make /usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ "-oMakefile" util/shlib_wrap.sh.in > "util/shlib_wrap.sh" chmod a+x util/shlib_wrap.sh make[1]: Leaving directory `/opt/openssl-1.1.1w' [root@cent7z openssl-1.1.1w]# make install /usr/local/openssl/share/doc/openssl/html/man7/scrypt.html /usr/local/openssl/share/doc/openssl/html/man7/ssl.html /usr/local/openssl/share/doc/openssl/html/man7/x509.html [root@cent7z openssl-1.1.1w]# mv /usr/bin/openssl /usr/bin/openssl_bak [root@cent7z openssl-1.1.1w]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl复制
#如果不加prefix ,openssl的默认路径如下
Bin: /usr/local/bin/openssl
include库 :/usr/local/include/openssl
lib库:/usr/local/lib64/
engine库:/usr/lib64/openssl/engines
4、 测试
[root@cent7z openssl-1.1.1w]# openssl version openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory #添加lib目录 [root@cent7z openssl-1.1.1w]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl --libdir=/usr/lib64 [root@cent7z openssl-1.1.1w]# openssl version OpenSSL 1.1.1w 11 Sep 2023 [root@cent7z openssl-1.1.1w]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017复制
5、升级openssh
## 备份 [root@cent7z opt]# cp -r /etc/ssh /etc/ssh_bak [root@cent7z opt]# ls /etc/ssh* /etc/ssh: moduli sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key /etc/ssh_bak: moduli sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key [root@cent7z opt]# cp -a /usr/sbin/sshd /usr/sbin/ssd_bak [root@cent7z opt]# cp -a /usr/bin/ssh /usr/bin/ssh_bak [root@cent7z opt]# cp -r /etc/pam.d/sshd /etc/pam.d/sshd_bak #解压安装### 三级标题 [root@cent7z opt]# tar zxvf /u01/soft/openssh-9.5p1.tar.gz [root@cent7z ~]# yum remove openssh [root@cent7z opt]# cd openssh-9.5p1.tar.gz [root@cent7z openssh-9.5p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/openssl --with-privsep-path=/var/lib/sshd checking for crypt in -lcrypt... yes checking for crypt... yes configure: error: PAM headers not found [root@cent7z openssh-9.5p1]# yum install pam-devel -y [root@cent7z openssh-9.5p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/openssl --with-privsep-path=/var/lib/sshd PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory [root@cent7z openssh-9.5p1]# make && make install [root@cent7z openssh-9.5p1]# ls /etc/pam.d/sshd_bak /etc/pam.d/sshd_bak [root@cent7z openssh-9.5p1]# cp /etc/pam.d/sshd_bak /etc/pam.d/sshd [root@cent7z openssh-9.5p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd [root@cent7z openssh-9.5p1]# chkconfig --add sshd [root@cent7z openssh-9.5p1]# systemctl status sshd ● sshd.service - SYSV: OpenSSH server daemon Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled) Active: inactive (dead) Docs: man:systemd-sysv-generator(8) Feb 28 21:20:54 cent7z systemd[1]: Failed to start OpenSSH server daemon. Feb 28 21:20:54 cent7z systemd[1]: Unit sshd.service entered failed state. Feb 28 21:20:54 cent7z systemd[1]: sshd.service failed. Feb 28 21:21:37 cent7z systemd[1]: sshd.service holdoff time over, scheduling restart. Feb 28 21:21:37 cent7z systemd[1]: Stopped OpenSSH server daemon. Feb 28 21:21:37 cent7z systemd[1]: Starting OpenSSH server daemon... Feb 28 21:21:37 cent7z sshd[17211]: Server listening on 0.0.0.0 port 22. Feb 28 21:21:37 cent7z sshd[17211]: Server listening on :: port 22. Feb 28 21:22:32 cent7z sshd[17211]: Received signal 15; terminating. Feb 28 21:22:32 cent7z systemd[1]: Stopped OpenSSH server daemon. [root@cent7z openssh-9.5p1]# systemctl start sshd [root@cent7z openssh-9.5p1]# systemctl status sshd ● sshd.service - SYSV: OpenSSH server daemon Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled) Active: active (running) since Wed 2024-02-28 21:31:20 EST; 1s ago Docs: man:systemd-sysv-generator(8) Process: 26136 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS) Main PID: 26144 (sshd) Tasks: 1 CGroup: /system.slice/sshd.service └─26144 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups Feb 28 21:31:20 cent7z systemd[1]: Starting SYSV: OpenSSH server daemon... Feb 28 21:31:20 cent7z sshd[26144]: Server listening on 0.0.0.0 port 22. Feb 28 21:31:20 cent7z sshd[26144]: Server listening on :: port 22. Feb 28 21:31:20 cent7z sshd[26136]: Starting sshd:[ OK ] Feb 28 21:31:20 cent7z systemd[1]: Started SYSV: OpenSSH server daemon. [root@cent7z openssh-9.5p1]# vim /etc/ssh/sshd_config PermitRootLogin yes UsePAM yes [root@cent7z openssh-9.5p1]# systemctl restart sshd [root@cent7z openssh-9.5p1]# ssh -V OpenSSH_9.5p1, OpenSSL 1.1.1w 11 Sep 2023复制
6、升级openssh前安装telnet-serve服务以防万一
yum install telnet* -y systemctl start telnet.socket systemctl enable telnet.socket # 默认root不支持登录,修改以下文件使root可telnet登录。 mv /etc/securetty /etc/securetty.bak复制
最后修改时间:2024-02-29 11:07:12
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
评论
目录
