Nginx upgrade and harden SSL/TLS protocol information disclosure vulnerability (CVE-2016-2183) and default banner vulnerability of HTTP server…_weixin_39800971’s blog

Nginx Upgrade and Harden SSL/TLS Protocol Information Disclosure Vulnerability (CVE-2016-2183) Vulnerability Description // The SSL/TLS protocol information disclosure vulnerability (CVE-2016-2183) was scanned on the https website based on Nginx. This vulnerability is caused by the Openssl version built when Nginx is installed. // It is necessary to recompile and install Nginx and specify the version of Openssl (it is not necessary to upgrade the openssl of the system, just specify the new openssl path during compilation). Reinforcement methods and steps Check the openssl version used by the current Nginx installation process [root@server ~]# nginx -V nginx version: nginx/1.16.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled Download the new version of Openssl cd /tmp wget https://www.openssl.org/source/openssl-1.1.0k.tar.gz tar zxvf openssl-1.1.0k.tar.gz -C /usr/local Download and install source code Nginx yum install -y gcc gcc-c++ openssl-devel pcre-devel make zlib-devel wget wget http://nginx.org/download/nginx-1.14.2.tar.gz cd /root/nginx-1.14.2 ./configure –prefix=/usr/local/nginx1.14 –with-http_ssl_module –with-http_stub_status_module –with-openssl=/usr/local/openssl-1.1.0k make && make install If I put openssl in the root directory when I made before, it may compile and report an error, but /usr/local will not report an error. If there is no error, do not change the following files #…