目录

一、给openssl-1.0.2u打包rpm

二、编译安装openssl-1.1.1k

三、给openssl-1.1.1k打包rpm(不推荐!)

近日openssl爆出拒绝服务、证书绕过漏洞,CVE编号CVE-2021-3449、CVE-2021-3450。

解决方法:
CentOS7默认openssl版本1.0.2,不受影响。
CentOS8默认openssl版本1.1.1,受影响,需要到OpenSSL1.1.1k及以上版本。

记录centos8编译打包openssl-1.0.2u、openssl-1.1.1k的过程。

一、给openssl-1.0.2u打包rpm

从官网https://www.openssl.org/source/old/1.0.2/下载openssl-1.0.2u.tar.gz,并做sha256校验。

cd rpmbuild/SOURCES/
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
sha256sum ./openssl-1.0.2u.tar.gz
ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16  ./openssl-1.0.2u.tar.gz

解压缩,把spec文件copy到SPEC目录下。

tar xvzf openssl-1.0.2u.tar.gz
cp openssl-1.0.2u/openssl.spec ../SPECS/openssl-1.0.2u.spec

编译打包openssl-1.0.2u并排错。报错Can't locate find.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5,解决方案是安装依赖perl-Perl4-CoreLibs.noarch

rpmbuild -ba openssl-1.0.2u.specCan't locate find.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at util/perlpath.pl line 7.
error: Bad exit status from /var/tmp/rpm-tmp.IaQ3r6 (%build)RPM build errors:bogus date in %changelog: Sun Jun  6 2005 Richard Levitte <richard@levitte.org>bogus date in %changelog: Tue Sep 10 1999 Damien Miller <damien@ibs.com.au>Bad exit status from /var/tmp/rpm-tmp.IaQ3r6 (%build)yum install perl-Perl4-CoreLibs.noarch

编译打包openssl-1.0.2u成功。

rpmbuild -ba --clean openssl-1.0.2u.spec
……
Wrote: /home/cnpe/rpmbuild/SRPMS/openssl-1.0.2u-1.src.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-1.0.2u-1.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-devel-1.0.2u-1.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-doc-1.0.2u-1.x86_64.rpm

二、编译安装openssl-1.1.1k

从官网https://www.openssl.org/source/下载openssl-1.1.1k.tar.gz,并做sha256校验,再解压缩。

wget https://www.openssl.org/source/openssl-1.1.1k.tar.gzsha256sum ./openssl-1.1.1k.tar.gz
892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5  ./openssl-1.1.1k.tar.gztar xvzf openssl-1.1.1k.tar.gz

编译安装
config生成Makefile
make编译,make test的结果一定要PASS
make install安装,或者其他选项只安装你需要的内容
如果在这些过程中提示有依赖项就安装,不OK就解决,再make clean后重新来过。

cd openssl-1.1.1k
./config
make
make test
make install

这样编译安装以后,openssl的版本升级到了1.1.1k,但是库文件仍使用原来1.1.1g版本的,不会影响使用。

openssl version
OpenSSL 1.1.1k  25 Mar 2021 (Library: OpenSSL 1.1.1g FIPS  21 Apr 2020)

三、给openssl-1.1.1k打包rpm(不推荐!动态库不兼容!)

这个包安装上以后,会导致严重的故障。

[root@test18 x86_64]# rpm --version
rpm: symbol lookup error: /lib64/librpmio.so.8: undefined symbol: EVP_md2, version OPENSSL_1_1_0[root@test18 x86_64]# yum remove openssl
Traceback (most recent call last):
......
ImportError: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
......[root@test18 ~]# ldd /lib64/librpmio.so.8 | grep cryptolibcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f299ed70000)
[root@test18 ~]# ldd /lib64/libk5crypto.so.3 | grep cryptolibcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fea0bf97000)

原因是这种方式会替换库文件,不能替换这个库文件详细的原因在这个地方有https://github.com/openssl/openssl/issues/11471,请自行查看。

[root@test18 ~]# ll /lib64/libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Dec 18 06:45 /lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1g
[root@test18 ~]# nm -gD /lib64/libcrypto.so.1.1 | grep EVP_KDF
0000000000170530 T EVP_KDF_ctrl
0000000000170620 T EVP_KDF_ctrl_str
0000000000170370 T EVP_KDF_CTX_free
00000000001703b0 T EVP_KDF_CTX_new_id
00000000001706e0 T EVP_KDF_derive
00000000001704d0 T EVP_KDF_reset
00000000001706b0 T EVP_KDF_size
0000000000170500 T EVP_KDF_vctrl[root@test18 x86_64]# ll /lib64/libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Apr  5 12:58 /lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1k
[root@test18 x86_64]# nm -gD /lib64/libcrypto.so.1.1 | grep EVP_KDF
Nothing!!!

这里只是记录编译打包的过程,不推荐使用!

从官网https://www.openssl.org/source/下载openssl-1.1.1k.tar.gz,并做sha256校验。解压缩,发现这个版本没有现成的spec文件。经查证在http://rpmfind.net/可以找到openssl-1.1.1g-12.el8.src.rpm这个包,这个包里面有1.1.1g版本的spec文件,可以找来使用。
该rpm文件cpio提取归档文件不会生成目录,因此建立一个目录存放,再下载。

mkdir openssl-1.1.1g-src
cd openssl-1.1.1g-src/
wget http://vault.centos.org/8.3.2011/BaseOS/Source/SPackages/openssl-1.1.1g-12.el8_3.src.rpm
rpm2cpio openssl-1.1.1g-12.el8_3.src.rpm | cpio -duim

提取的文件很多,把其中的openssl.spec拷贝到rpmbuild/SPECS目录下,并编辑openssl-1.1.1k.spec,修改源代码文件、版本、删除不需要的内容,最终形成openssl-1.1.1k.spec文件,内容如下。

# For the curious:
# 0.9.5a soversion = 0
# 0.9.6  soversion = 1
# 0.9.6a soversion = 2
# 0.9.6c soversion = 3
# 0.9.7a soversion = 4
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
#                        depends on build configuration options)
%define soversion 1.1
%define debug_package %{nil}Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1k
Release: 1%{?dist}
Epoch: 1
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Source0:openssl-%{version}.tar.gz%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.%package libs
Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
# Needed obsoletes due to the base/lib subpackage split
Obsoletes: openssl < 1:1.0.1-0.3.beta3
Obsoletes: openssl-fips < 1:1.0.1e-28
Provides: openssl-fips = %{epoch}:%{version}-%{release}%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.%package devel
Summary: Files for development of applications which will use OpenSSL
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
Requires: pkgconfig%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.%package static
Summary:  Libraries for static linking of applications which will use OpenSSL
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
package contains static libraries needed for static linking of
applications which support various cryptographic algorithms and
protocols.%package perl
Summary: Perl scripts provided with OpenSSL
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.%prep
%setup -q -n %{name}-%{version}%build
#./config \
#   --prefix=/usr/bin \
#   --openssldir=/etc/pki/tls \
#   --libdir=/usr/lib64 \#./config \
#   --prefix=%{_bindir} \
#   --openssldir=%{_sysconfdir}/pki/tls \
#   --libdir=%{_prefix}/lib64 \./config \--prefix=%{_prefix} \--openssldir=%{_sysconfdir}/pki/tls \make all# Clean up the .pc files
#for i in libcrypto.pc libssl.pc openssl.pc ; do
#  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
#done%check
# Verify that what was compiled actually works.
make test%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
make DESTDIR=$RPM_BUILD_ROOT install
make DESTDIR=$RPM_BUILD_ROOT uninstall_html_docs
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; dochmod 755 ${lib}ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
#mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
#install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
#install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
#install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert# Move runable perl scripts to bindir
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; doif [ -L ${manpage} ]; thenTARGET=`ls -l ${manpage} | awk '{ print $NF }'`ln -snf ${TARGET}ssl ${manpage}sslrm -f ${manpage}elsemv ${manpage} ${manpage}sslfi
done
for conflict in passwd rand ; dorename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinksmanpage=man1/openssl-${conflict}.*if [ -L ${manpage} ] ; thenln -snf ssl${conflict}.1ssl ${manpage}fi
done
popdmkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
#touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
#touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnfrm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
install -m644 %{SOURCE9} \$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
%endif
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH%files
%{!?_licensedir:%global license %%doc}
%license LICENSE
%doc FAQ NEWS README README.FIPS
%{_bindir}/openssl
%{_mandir}/man1*/*
%{_mandir}/man5*/*
%{_mandir}/man7*/*
%exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget*
%exclude %{_mandir}/man1*/openssl-tsget*%files libs
%{!?_licensedir:%global license %%doc}
%license LICENSE
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion}%files devel
%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/*.so
%{_mandir}/man3*/*
%{_libdir}/pkgconfig/*.pc%files static
%{_libdir}/*.a%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts%post libs -p /sbin/ldconfig%postun libs -p /sbin/ldconfig%changelog

然后rpmbuild -ba --clean openssl-1.1.1k.spec,得到openssl-1.1.1k的rpm包。

rpmbuild -ba --clean openssl-1.1.1k.spec
......
Wrote: /home/cnpe/rpmbuild/SRPMS/openssl-1.1.1k-1.el8.src.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-libs-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-devel-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-static-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-perl-1.1.1k-1.el8.x86_64.rpm
......

centos8编译openssl-1.0.2u、openssl-1.1.1k相关推荐

  1. openssl / vs2019 编译 openssl 1.0.2u 过程说明

    一.准备 1.安装 perl http://strawberryperl.com/download/5.28.1.1/strawberry-perl-5.28.1.1-64bit.msi 2.下载 o ...

  2. 极客日报:华为发布矿山鸿蒙操作系统“矿鸿”;​韩国对谷歌罚款11亿元;OpenSSL 3.0 发布

    一分钟速览新闻点! 华为发布矿山鸿蒙操作系统"矿鸿" 抖音回应"涉嫌盗取腾讯关系链":系谣言,法院已立案 腾讯注册QQ元宇宙商标 中国云服务市场已达66亿美元: ...

  3. libwebsockets / vs2019 编译 libwebsockets 4.0 方法

    一.准备 下载 libwebsockets 4.0 源代码.(下载) 下载 cmake 3.17.(下载) 编译 openssl openssl-1.0.2u .(参考) 编译 zlib 1.2.11 ...

  4. OpenSSL(openssl-1.0.1h)编译与安装(Win7)

    参考: http://blog.chinaunix.net/uid-20479991-id-216269.html 1. 准备: 1.1 安装perl环境, 下载地址: http://dlsw.bai ...

  5. 编译的 Ruby 2.3.0 缺少 openssl 支持的解决方法 (已解决)

    我的系统是centos 7.5,已离线安装ruby-2.3.0,openssl-1.0.2l,rubygems-2.7.4 如下图: 但是在  gem sources -a http://gems.r ...

  6. VC2008下使用OpenSSL 1.0.0g(免编译)

    摘要: 运行时库附加依赖项多线程(/MT)libeay32MT.lib ssleay32MT.lib多线程调试(/MTd)libeay32MTd.lib ssleay32... id="cp ...

  7. vs2019 编译 openssl 1.0.2

    1,准备好openssl https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz 2,安装perl https://platfor ...

  8. openssl 1.0.2k-fips 升级到 openssl-3.0.5

    近日国家信息安全漏洞库公布了关于OpenSSL 操作系统命令注入漏洞(CVE-2022-1292),特此将目前使用的openssl 1.0.2k-fips 升级到 openssl-3.0.5 1.下载 ...

  9. openssl 1.0.2k-fips 升级到 openssl-3.0.3

    近期公司内部安全扫描发现OpenSSL存在漏洞,需要升级. 下载地址: Openssl官网:https://www.openssl.org/source/下载3.0.3地址: https://www. ...

最新文章

  1. 关于hp惠普笔记本电脑清洗(真的要水洗哟)
  2. golang 发送get和post示例
  3. POJ 3126 Prime Path BFS搜索
  4. 【Python】大神教你五分钟搞清楚Python函数的参数!
  5. java动态打印_JFreeChart学习(三)——动态打印java内存使用情况
  6. oracle 数据更新
  7. Js中Date的应用
  8. JerseyTest
  9. yum 安装没有公钥_window 安装docker
  10. 谁说国产操作系统没救了? | 人物志
  11. apt-cyg 代理设置
  12. 360测网速服务器维护,360网速测试器还你真实网速 提供专门维护服务
  13. 文件同步工具CwRsync的使用教程
  14. 优盘插计算机上成快捷方式,u盘一插就变成快捷方式打不开怎么办 u盘变成快捷方式怎么办...
  15. 大龄程序员的4年生涯
  16. 地球同步、地球静止、半同步、太阳同步、极地、莫尼亚轨道阐释
  17. 她全奖赴海外读博,一作发Science,毅然回国后任东南大学教授!
  18. ADB——连接手机的三种方式
  19. 给大家分享两套WordPress收费主题
  20. 一些好用的APP推荐给你

热门文章

  1. android 添加头参数,Retrofit添加header参数的几种方法
  2. 下载oracle修复补丁下载,Oracle数据库修复工具下载_FROMBYTE Reconstructor for Oracle官方版下载[修复软件]-下载之家...
  3. php 缓存模块,PHP缓存之模块缓存(APC)_PHP教程
  4. jedis使用_网易架构师心得:Springboot下使用redis踩过的坑
  5. iOS 关于手机权限的检查与获取
  6. [微信小程序]提交表单返回成功后自动清空表单的值
  7. iOS 一行命令发布 Pod 框架
  8. iOS逆向(4)-代码注入,非越狱窃取微信密码
  9. MacOS无法登录App Store修复
  10. linux基础篇-02,linux时间管理date hwclock cal 简述