Contents
はじめに
WordPressの環境をApache 2.4 + MySQL 5.7 + PHP7 で構築するにあたり、Apache 2.4 をHTTP2に対応させるため、OpenSSL 1.1.0を 採用します。
またデフォルトでインストールされているOpenSSLは削除した場合の影響が大きそうなのでそのまま残します。
対象バージョン
| バージョン | |
| OpenSSL | 1.1.0g |
2018/04/19 現在 最新1.1.0hが公開されています。最新バージョンは公式サイトで確認してください。
https://www.openssl.org/
サーバ環境
| バージョン | |
| CentOS 7 | CentOS Linux release 7.4.1708 (Core) |
インストールされているバージョン確認
# rpm -qa | grep openssl openssl-1.0.2k-8.el7.x86_64 openssl-devel-1.0.2k-8.el7.x86_64 openssl-libs-1.0.2k-8.el7.x86_64
CentOS 7 デフォルトのOpenSSLバージョン確認
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
削除した場合の依存関係を確認
確認だけで今回は削除しません。
# rpm -e openssl-1.0.2k-8.el7.x86_64 --test error: Failed dependencies: /usr/bin/openssl is needed by (installed) authconfig-6.2.8-30.el7.x86_64 # rpm -e openssl-devel-1.0.2k-8.el7.x86_64 --test # rpm -e openssl-libs-1.0.2k-8.el7.x86_64 --test error: Failed dependencies: libcrypto.so.10()(64bit) is needed by (installed) coreutils-8.22-18.el7.x86_64 libcrypto.so.10()(64bit) is needed by (installed) krb5-libs-1.15.1-8.el7.x86_64 libcrypto.so.10()(64bit) is needed by (installed) python-libs-2.7.5-58.el7.x86_64 ...(省略)...
事前準備
make testでエラーが出るため、perlのパッケージを入れておく
# yum install perl-core
ダウンロード
/usr/local/src/で実行
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
展開
# tar zxvf openssl-1.1.0g.tar.gz
展開したディレクトリに移動
# cd /usr/local/src/openssl-1.1.0g/
ビルド・インストール
ハマりポイント。make testに特権ユーザで実行されていないことを確認する項目があり、rootで実行するとエラーになります。
Test Summary Report ------------------- ../test/recipes/40-test_rehash.t (Wstat: 256 Tests: 5 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=95, Tests=556, 43 wallclock secs ( 0.43 usr 0.10 sys + 32.13 cusr 12.25 csys = 44.91 CPU) Result: FAIL make[1]: *** [_tests] Error 1 make[1]: Leaving directory `/usr/local/src/openssl-1.1.0g' make: *** [tests] Error 2
一般ユーザで実行できるようにパーミッションも変更しておき、make installだけrootで実行。(手順は以下の通り)
$ sudo tar zxvf openssl-1.1.0g.tar.gz $ sudo chown -R <UserName> openssl-1.1.0g $ cd openssl-1.1.0g $ ./config --prefix=/usr/local/openssl-1.1.0g shared zlib $ make $ make test make depend && make _tests make[1]: Entering directory `/usr/local/src/openssl-1.1.0g' make[1]: Leaving directory `/usr/local/src/openssl-1.1.0g' make[1]: Entering directory `/usr/local/src/openssl-1.1.0g' ( cd test; \ mkdir -p test-runs; \ SRCTOP=../. \ BLDTOP=../. \ RESULT_D=test-runs \ PERL="/usr/bin/perl" \ EXE_EXT= \ OPENSSL_ENGINES=`cd .././engines; pwd` \ OPENSSL_DEBUG_MEMORY=on \ /usr/bin/perl .././test/run_tests.pl ) ../test/recipes/01-test_abort.t ............ ok ../test/recipes/01-test_sanity.t ........... ok ../test/recipes/01-test_symbol_presence.t .. ok ../test/recipes/02-test_ordinals.t ......... ok ../test/recipes/03-test_exdata.t ........... ok ../test/recipes/03-test_ui.t ............... ok ../test/recipes/04-test_pem.t .............. ok ../test/recipes/05-test_bf.t ............... ok ../test/recipes/05-test_cast.t ............. ok ../test/recipes/05-test_des.t .............. ok ../test/recipes/05-test_hmac.t ............. ok ../test/recipes/05-test_idea.t ............. ok ../test/recipes/05-test_md2.t .............. skipped: md2 is not supported by this OpenSSL build ../test/recipes/05-test_md4.t .............. ok ../test/recipes/05-test_md5.t .............. ok ../test/recipes/05-test_mdc2.t ............. ok ../test/recipes/05-test_rand.t ............. ok ../test/recipes/05-test_rc2.t .............. ok ../test/recipes/05-test_rc4.t .............. ok ../test/recipes/05-test_rc5.t .............. skipped: rc5 is not supported by this OpenSSL build ../test/recipes/05-test_rmd.t .............. ok ../test/recipes/05-test_sha1.t ............. ok ../test/recipes/05-test_sha256.t ........... ok ../test/recipes/05-test_sha512.t ........... ok ../test/recipes/05-test_wp.t ............... ok ../test/recipes/10-test_bn.t ............... ok ../test/recipes/10-test_exp.t .............. ok ../test/recipes/15-test_dh.t ............... ok ../test/recipes/15-test_dsa.t .............. ok ../test/recipes/15-test_ec.t ............... ok ../test/recipes/15-test_ecdsa.t ............ ok ../test/recipes/15-test_genrsa.t ........... ok ../test/recipes/15-test_rsa.t .............. ok ../test/recipes/15-test_rsapss.t ........... ok ../test/recipes/20-test_enc.t .............. ok ../test/recipes/20-test_passwd.t ........... ok ../test/recipes/25-test_crl.t .............. ok ../test/recipes/25-test_d2i.t .............. ok ../test/recipes/25-test_pkcs7.t ............ ok ../test/recipes/25-test_req.t .............. ok ../test/recipes/25-test_sid.t .............. ok ../test/recipes/25-test_verify.t ........... ok ../test/recipes/25-test_x509.t ............. ok ../test/recipes/30-test_afalg.t ............ skipped: test_afalg not supported for this build ../test/recipes/30-test_engine.t ........... ok ../test/recipes/30-test_evp.t .............. ok ../test/recipes/30-test_evp_extra.t ........ ok ../test/recipes/30-test_pbelu.t ............ ok ../test/recipes/40-test_rehash.t ........... ok ../test/recipes/60-test_x509_store.t ....... ok ../test/recipes/70-test_asyncio.t .......... ok ../test/recipes/70-test_bad_dtls.t ......... ok ../test/recipes/70-test_clienthello.t ...... ok ../test/recipes/70-test_packet.t ........... ok ../test/recipes/70-test_sslcbcpadding.t .... ok ../test/recipes/70-test_sslcertstatus.t .... ok ../test/recipes/70-test_sslextension.t ..... ok ../test/recipes/70-test_sslmessages.t ...... ok ../test/recipes/70-test_sslrecords.t ....... ok ../test/recipes/70-test_sslsessiontick.t ... ok ../test/recipes/70-test_sslskewith0p.t ..... ok ../test/recipes/70-test_sslvertol.t ........ ok ../test/recipes/70-test_tlsextms.t ......... ok ../test/recipes/70-test_verify_extra.t ..... ok ../test/recipes/80-test_ca.t ............... ok ../test/recipes/80-test_cipherlist.t ....... ok ../test/recipes/80-test_cms.t .............. ok ../test/recipes/80-test_ct.t ............... ok ../test/recipes/80-test_dane.t ............. ok ../test/recipes/80-test_dtls.t ............. ok ../test/recipes/80-test_dtlsv1listen.t ..... ok ../test/recipes/80-test_ocsp.t ............. ok ../test/recipes/80-test_pkcs12.t ........... ok ../test/recipes/80-test_ssl_new.t .......... ok ../test/recipes/80-test_ssl_old.t .......... ok ../test/recipes/80-test_ssl_test_ctx.t ..... ok ../test/recipes/80-test_sslcorrupt.t ....... ok ../test/recipes/80-test_tsa.t .............. ok ../test/recipes/80-test_x509aux.t .......... ok ../test/recipes/90-test_async.t ............ ok ../test/recipes/90-test_bio_enc.t .......... ok ../test/recipes/90-test_bioprint.t ......... ok ../test/recipes/90-test_constant_time.t .... ok ../test/recipes/90-test_fuzz.t ............. ok ../test/recipes/90-test_gmdiff.t ........... ok ../test/recipes/90-test_heartbeat.t ........ skipped: heartbeats is not supported by this OpenSSL build ../test/recipes/90-test_ige.t .............. ok ../test/recipes/90-test_memleak.t .......... ok ../test/recipes/90-test_p5_crpt2.t ......... ok ../test/recipes/90-test_secmem.t ........... ok ../test/recipes/90-test_shlibload.t ........ ok ../test/recipes/90-test_srp.t .............. ok ../test/recipes/90-test_sslapi.t ........... ok ../test/recipes/90-test_threads.t .......... ok ../test/recipes/90-test_v3name.t ........... ok All tests successful. Files=95, Tests=556, 43 wallclock secs ( 0.41 usr 0.12 sys + 31.72 cusr 12.14 csys = 44.39 CPU) Result: PASS make[1]: Leaving directory `/usr/local/src/openssl-1.1.0g' # cd /usr/local/src/openssl-1.1.0g/ # make install
シンボリックリンク作成
古いOpenSSLは残しておく。今後バージョンアップの際、リンク張替えだけで済ませるためシンボリックリンクを作成する。
# cd /usr/local/ # ln -s /usr/local/openssl-1.1.0g openssl # ls -l total 0 drwxr-xr-x. 2 root root 6 Nov 6 2016 bin drwxr-xr-x. 2 root root 6 Nov 6 2016 etc drwxr-xr-x. 2 root root 6 Nov 6 2016 games drwxr-xr-x. 2 root root 6 Nov 6 2016 include drwxr-xr-x. 2 root root 6 Nov 6 2016 lib drwxr-xr-x. 2 root root 6 Nov 6 2016 lib64 drwxr-xr-x. 2 root root 6 Nov 6 2016 libexec lrwxrwxrwx 1 root root 25 Jan 17 09:23 openssl -> /usr/local/openssl-1.1.0g drwxr-xr-x 7 root root 67 Jan 17 09:20 openssl-1.1.0g drwxr-xr-x. 2 root root 6 Nov 6 2016 sbin drwxr-xr-x. 5 root root 49 Dec 21 13:09 share drwxr-xr-x. 3 root root 158 Jan 17 08:58 src
ライブラリにパスが通っていないため、まだ実行できない。
# /usr/local/openssl/bin/openssl version /usr/local/openssl/bin/openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
ld.so.confにライブラリのパスを追加
# vi /etc/ld.so.conf include ld.so.conf.d/*.conf # 以下追加 /usr/local/openssl/lib
ライブラリキャッシュファイル更新
# ldconfig
確認
# ldconfig -v | grep ssl
ldconfig: Can't stat /libx32: No such file or directory
ldconfig: Path `/usr/lib' given more than once
ldconfig: Path `/usr/lib64' given more than once
ldconfig: Can't stat /usr/libx32: No such file or directory
/usr/local/openssl/lib:
libssl.so.1.1 -> libssl.so.1.1
libssl3.so -> libssl3.so
libssl.so.10 -> libssl.so.1.0.2k
ソースからインストールしたOpenSSLのバージョン確認(フルパス)
# /usr/local/openssl/bin/openssl version OpenSSL 1.1.0g 2 Nov 2017
パスの追加
優先順位は先頭からのため、$PATHのあとに/usr/local/openssl/binを適用すると、古い方のOpenSSLが参照されるため注意。
vi /etc/profile export PATH=/usr/local/openssl/bin:$PATH
ソースからインストールしたOpenSSLのバージョン確認
# openssl version OpenSSL 1.1.0g 2 Nov 2017
参考
OpenSSLをソースからビルドしてNginxで使用する
OpenSSL バージョンアップ後も旧バージョンが居座り続ける問題
OpenSSLのインストール
OpenSSL "make test" でのエラー (Ubuntu 16.04)
openssl-1.1.0 インストール
OpenSSL(1.0.x)をインストールする(ソースからコンパイル)for CentOS 7.4
共有ライブラリへパスを通す
