处理的漏洞名称为 SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】
# 确认 openssl 有没有安装
cd /data/software/
yum install perl perl-devel -y
wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1j.tar.gz
tar zxvf openssl-1.1.1j.tar.gz
cd openssl-1.1.1j
./config --prefix=/usr/local/ssl -d shared
make -j 4 && make install
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
ldconfig -v
# 检查配置参数
/usr/local/nginx/sbin/nginx -V
# 备份 nginx 配置
# 使用指定的 openssl 需要更改源码
cd /data/software/nginx-1.20.1/auto/lib/openssl/
cp conf conf.20220310
vi conf
# 找到以下代码,差不多四十行
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
# 修改成以下代码
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
cd /data/software/nginx-1.20.1
make clean
# 配置的 configure 参数可以从 /usr/local/nginx/sbin/nginx -V 获得
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx-1.20.1 --with-http_stub_status_module --with-http_gzip_static_module --with-http_ssl_module --with-openssl=/usr/local/ssl
make
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
cp objs/nginx /usr/local/nginx/sbin/
make upgrade
# 检查是否成功
/usr/local/nginx/sbin/nginx -V
# 通过配置 nginx 设置 ssl_ciphers HIGH:!aNULL:!MD5:!3DES;
# 注: !3DES是后添加的过滤