Upgrading OpenSSL on an old CentOS box

Warning – this procedure is extremely risky (but has worked every time for me).

It is suggested that you do a dry run on a VM before attempting this on a live server.  If anything goes wrong, you may be left with a dead server.

The servers in question are ns1.mydomain.co.uk and ns2.mydomain.co.uk, functioning as DNS servers for almost all of the company domains.

The normal method of updating CentOS is to type

yum update

at the root prompt.

If the kernel gets upgraded, make sure you reboot, by typing (after first checking that the other server is still OK).

shutdown -r now

 

before you continue.

Keep doing

yum update

and

shutdown -r now

until there is nothing left for your unsupported distro.

From here on, these instructions will also work with Slackware.

  • Ensure that you have backups of the /etc, /usr/exim and /var/named folders before you go any further.  Send them back home using the scp command.

 

CentOS 5.1 is no longer supported, so it is necessary now to manually build from source any further updates required for PCI compliance, or other reasons.

This is a completely unsupported solution, so you are on your own with this server from hereon.  Maybe you should have used Slackware instead?

1/. Download necessary packages:

zlib must be up to date
openssl must be up to date
openssh must be up to date

cd /usr/src

Visit:

http://www.zlib.net/ https://www.openssl.org/source/ http://www.mirrorservice.org/pub/OpenBSD/OpenSSH/portable/

use the wget command to fetch the files.

It is good practice to check the file signatures using the

md5sum filename

 

command.

2/.

cd /usr/src
tar xvfz zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure --prefix=/usr
make
make test
(if all is OK)
make install

 

3/.

cd /usr/src
tar xvfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr shared
make
make test
make install

openssl
OpenSSL> version
OpenSSL 1.0.1g 7 Apr 2014
OpenSSL>

 

ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING

4/.

cd /usr/src
tar xvfz openssh-6.6p1.tar.gz
./configure --prefix=/usr --with-tcp-wrappers
make
make install

sshd -?
**OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
**usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
            [-u len]

 

ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING

NOW FOR THE REALLY RISKY PART

 

which sshd
/usr/sbin/sshd

ps -deaf | grep ssh
root      2529     1  0 11:26 ?        00:00:00 /usr/sbin/sshd
root      4442  2529  0 11:29 ?        00:00:02 sshd: root@pts/0 
root      9794  4444  0 12:18 pts/0    00:00:00 grep ssh

 

DO THESE PATHS MATCH?  IF THEY DO:

kill -15 2529
/usr/sbin/sshd

ps -deaf | grep ssh
root      4442     1  0 11:29 ?        00:00:02 sshd: root@pts/0 
root      9804     1  0 12:20 ?        00:00:00 /usr/sbin/sshd
root      9806  4444  0 12:20 pts/0    00:00:00 grep ssh

 

HAS SSHD RESTARTED – IF NOT YOU WILL HAVE TO FORCE AND RPM REINSTALL (NOT DESCRIBED HERE).  IF YOU DON’T, YOU WILL NEVER BE ABLE TO LOG IN AGAIN!!!!!!!!!!!!!!!

Now, from another window, launch another ssh session to the server

ssh root@ns1.mydomain.co.uk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
78:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:11.
Please contact your system administrator.
Add correct host key in /home/mylogin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/mylogin/.ssh/known_hosts:4
RSA host key for ns1.mydomain.co.uk has changed and you have requested strict checking.
Host key verification failed.

 

This is normal, as when OpenSSL was reinstalled, it changes the server RSA keys.

Edit the /home/mylogin/.ssh/known_hosts file and remove the line for the server.

Is it still all OK?

Restart the server and pray that you don’t have to ask for a KVM over IP session to repair the damage.

NEXT STEPS

It’s time to recompile anything that uses SSL or TLS, i.e. exim, squid? Apache?

 

And the after steps

All of the above is out of date now after OpenSSL1.0.1h – so we have to do it all again.

 

This entry was posted in Uncategorized. Bookmark the permalink.

Comments are closed.