Server Ssl protocol vulnerability, Nginx upgrade and harden SSL/TLS protocol information disclosure vulnerability (CVE-2016-2183) and default banner vulnerability of HTTP server…_weixin_39800971’s blog

Nginx Upgrade and Harden SSL/TLS Protocol Information Disclosure Vulnerability (CVE-2016-2183)

Vulnerability Description

// The SSL/TLS protocol information disclosure vulnerability (CVE-2016-2183) was scanned on the https website based on Nginx. This vulnerability is caused by the Openssl version built when Nginx is installed.

// It is necessary to recompile and install Nginx and specify the version of Openssl (it is not necessary to upgrade the openssl of the system, just specify the new openssl path during compilation).

Reinforcement methods and steps

Check the openssl version used by the current Nginx installation process

[root@server ~]# nginx -V

nginx version: nginx/1.16.1

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

Download the new version of Openssl

cd /tmp

wget https://www.openssl.org/source/openssl-1.1.0k.tar.gz

tar zxvf openssl-1.1.0k.tar.gz -C /usr/local

Download and install source code Nginx

yum install -y gcc gcc-c++ openssl-devel pcre-devel make zlib-devel wget

wget http://nginx.org/download/nginx-1.14.2.tar.gz

cd /root/nginx-1.14.2

./configure –prefix=/usr/local/nginx1.14 –with-http_ssl_module –with-http_stub_status_module –with-openssl=/usr/local/openssl-1.1.0k

make && make install

If I put openssl in the root directory when I made before, it may compile and report an error, but /usr/local will not report an error. If there is no error, do not change the following files

# error message

/bin/sh: line 2: ./config: No such file or directory

make[1]: *** [/usr/local/ssl/.openssl/include/openssl/ssl.h] Error 127

make[1]: Leaving directory `/usr/local/src/nginx-1.9.9′

make: *** [build] Error 2

Solution

# Open the /usr/local/src/nginx-1.9.9/auto/lib/openssl/conf file under the nginx source file:

vi /root/nginx-1.14.2/auto/lib/openssl/conf

# Find the following code, almost thirty or forty lines

CORE_INCS=”$CORE_INCS $OPENSSL/.openssl/include”

CORE_DEPS=”$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h”

CORE_LIBS=”$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a”

CORE_LIBS=”$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a”

CORE_LIBS=”$CORE_LIBS $NGX_LIBDL”

# Modify to the following code

CORE_INCS=”$CORE_INCS $OPENSSL/include”

CORE_DEPS=”$CORE_DEPS $OPENSSL/include/openssl/ssl.h”

CORE_LIBS=”$CORE_LIBS $OPENSSL/lib/libssl.a”

CORE_LIBS=”$CORE_LIBS $OPENSSL/lib/libcrypto.a”

CORE_LIBS=”$CORE_LIBS $NGX_LIBDL”

Verify Nginx uses Openssl version

[root@JD sbin]# ./nginx -V

nginx version: nginx/1.14.2

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)

built with OpenSSL 1.1.0k 28 May 2019

TLS SNI support enabled

configure arguments: –prefix=/usr/local/nginx1.14 –with-http_ssl_module –with-http_stub_status_module –with-openssl=/usr/local/openssl-1.1.0k