# OpenSSL 安全加固 #### 博客作者:联系请[点击](https://hezhiqiang.gitbook.io/about-the-author/lian-xi-zuo-zhe),搬运不易,希望请作者喝咖啡,可以点击[联系博客作者](https://hezhiqiang.gitbook.io/about-the-author/lian-xi-zuo-zhe) ## 一、升级 OpenSSL 为了确保 OpenSSL 的安全,建议升级 OpenSSL 版本到官方最新版本。本文介绍了具体的升级方法。 ## 二、YUM源更新 OpenSSL * 对于Linux/CentOS 服务器,以 root 权限运行以下命令: ``` sudo yum update openssl ``` * 对于 Ubuntu Server/Debain 服务器,以 root 权限运行以下命令: ``` sudo apt-get update sudo apt-get upgrade ``` ## 三、编译安装更新 OpenSSL 下载最新版本 OpenSSL(以 openssl-1.1.0e 为例)。 {% hint style="danger" %} **注意**:以下编译升级操作存在风险,建议由专业运维技术人员来操作。 {% endhint %} 以 root 权限运行以下命令: ``` wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz tar zxvf openssl-1.1.0e.tar.gz cd openssl-1.1.0e ./config shared zlib make make install # 替换旧版 OpenSSL mv /usr/bin/openssl /usr/bin/openssl.old mv /usr/include/openssl /usr/include/openssl.old ln -s /usr/local/bin/openssl /usr/bin/openssl ln -s /usr/local/include/openssl/ /usr/include/openssl ``` ## 四、检查 OpenSSL 版本 以 root 权限运行 `openssl version -a` 命令,系统会返回 OpenSSL 版本信息,如下所示。 ``` OpenSSL 1.1.0e 16 Feb 2017 built on: reproducible build, date unspecified platform: linux-x86_64 compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack OPENSSLDIR: "/usr/local/ssl" ENGINESDIR: "/usr/local/lib/engines-1.1" ``` #### 了解更多:[OpenSSL 官方漏洞信息公告](https://www.openssl.org/news/vulnerabilities.html)。 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hezhiqiang.gitbook.io/about-the-author/xi-tong-an-quan-jia-gu/sheng-ji-openssl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.