How To Update Openssl?

Dear All,

I am trying to install a certificate and then authenticate with LDAP,
but I think I have been lost somewhere in the middle :

In a CentOS 7 system,
First, I would like to make sure that the certificate is installed and used :

Code:

yum install ca-certificates
update-ca-trust enable
cp cacert.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

When I do :
Code:

openssl s_client -showcerts -connect ...:636

Code:

openssl verify cacert.pem 
cacert.pem: OK

Code:

openssl version -d
OPENSSLDIR: "/etc/pki/tls"

Solved with :
Quote:
openssl s_client -showcerts -connect ...:636

I have a user: mim that has within it a folder /mimmim and within that, a folder called
/Src. user: mim has root privileges.

There is an Install file in /home/mim/ that uses a file in /Src called pgp.h. pgp.h references a file /openssl/opensslv.h. The opensslv.h is actually in the newer openssl installations he /usr/local/ssl/include/openssl/

I tried to do a 'sudo ln -s /usr/local/ssl/include/openssl openssl' from /home/mim/, as well as from within the /home/mim/mimmim/ and from within /home/mim/mimmim/Src/. I still get this error however:

pgp.h:16:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.

I guess I am not sim linking correctly.

Hi,

Friends,

Good Morning to all. I have some queries about openssl. I googled for by query but i did not got the relevant answer, hence I came here and i am guaranteed that you gyes will help me definitely as you helped me before as well.

My scenario is I had one centOS 6 server which had openssl version as
Code:

 rpm -qa|grep openssl
openssl-1.0.1e-30.el6_6.5.x86_64
openssl-devel-1.0.1e-30.el6_6.5.x86_64

CentOS 6 provides php5.3 as default
Code:

yum list php
Loaded plugins: downloadonly, fastestmirror, presto
Determining fastest mirrors
base                                                                                                                                    | 3.7 kB     00:00
epel                                                                                                                                    | 4.4 kB     00:00
epel/primary_db                                                                                                                         | 6.4 MB     00:00
extras                                                                                                                                  | 3.4 kB     00:00
panopta                                                                                                                                 |  951 B     00:00
updates                                                                                                                                 | 3.4 kB     00:00
updates/primary_db                                                                                                                      | 2.1 MB     00:00
Available Packages
php.x86_64                                                                5.3.3-40.el6_6                                                                updates

But I need php5.2, so i preferd to go compilation. It gave me some errors while doing make regarding openssl. I googled for it, gave solution of downgrading openssl.

As default openssl can't be removed, I prefered installing openssl-0.9.x through compilation with --prefix option. After doing I was able to compile php-5.2 successfully.

Now in my server there are followings installed.

Code:

[next02admin@NEXT02VMD02 ~]$ /usr/bin/openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013 (the default one)

[next02admin@NEXT02VMD02 ~]$ /usr/local/bin/openssl version
OpenSSL 0.9.8e 23 Feb 2007 (the compiled one)

[next02admin@NEXT02VMD02 ~]$ php -v
PHP 5.2.10 (cli) (built: Jul  1 2014 00:39:27)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

[next02admin@NEXT02VMD02 ~]$ rpm -qa|grep httpd
httpd-tools-2.2.15-39.el6.centos.x86_64
httpd-2.2.15-39.el6.centos.x86_64
httpd-devel-2.2.15-39.el6.centos.x86_64

Now My question is,
1) Is it safe to use both openssl versions simultaneously.
2) Will it cause any vulnerability on my site (prod ENV), if it will affect to prod env, then to what extend.

Your replies will be very very appreciable. I will be very thankful to you.

Regards,

SSR

Hello All,

I am rookie when it comes to security protocols and I am learning this as part of my job responsibilities.

Recently our Application started implementing TLSv1.2 and here are some questions that I have from my observations.

1st the term ciphers, keys, certs are all very confusing to however I started to get some understanding of these as I am reading a lot of stuff.
Now, my application is running on "X" server and only accepts TLS1.X connections since the i use java 7 where ssl2Hello is disabled

now from Server "A" when I run cmd: openssl s_client -tls1 -host xxx -port yyyy
I get back a response in which I see a line
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
the openssl version on server A is: 1.0

when I run the same command from another server "B" I get a response in which the line says:
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
the openssl version on server B is: 0.9

My understanding of cipher was something that is enforced by the application server "X" and not by the client that is making the call. Is that a wrong understanding ?
And how can I find out what type of cipher is being enforced by the server "X" when someone makes a call to it.

Anyone who can help me understand why the difference how this entire stuff operates.
Help much appreciated.

Hi,

After upgraded openssl version from 0.9.8zc to 0.9.8zd, how to verify apache is now using the latest openssl version?

Thanks in advance.

Firebug displays the following error when viewing my site:
Quote:
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
My approach to generate self-signed SSL keys is shown below. I didn't think I was using SHA-1, but thought I was using SHA-256.

What should I do to eliminate this warning?

Thank you

Code:

# generate mysite.coms's RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out mysite_key.pem

# generate a certificate signing request.  Used FQDN of server (i.e. mysite.com).  Use email with dot to prevent spam.  Didn't include an "extra" password
openssl req -new -key mysite_key.pem -sha256 -days 365 -out mysite_csr.pem

# Remove pass-phrase from the key
cp mysite_key.pem mysite_key.pem.tmp
openssl rsa -in mysite_key.pem.tmp -out mysite_key.pem
rm -f mysite_key.pem.tmp

# sign the certificate with the key itself.  Skip this step if using a CA
openssl x509 -req -in mysite_csr.pem -signkey mysite_key.pem -sha256 -days 365 -out mysite_crt.pem

# Copy the files to the correct locations (don't move since it will cause problems with selinux). Be sure to keep at read only by root
cp mysite_key.pem /etc/pki/tls/private/mysite_key.pem
cp mysite_csr.pem /etc/pki/tls/private/mysite_csr.pem
cp mysite_crt.pem /etc/pki/tls/certs/mysite_crt.pem
rm -f mysite_key.pem
rm -f mysite_csr.pem
rm -f mysite_crt.pem

# update /etc/httpd/conf.d/ssl.conf as follows:
# SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem
# SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem

/etc/init.d/httpd restart

Hi,

I have Kali linux and updated it a few days ago and now when I search for networks after going into monitor mode it tells me "no wireless networks found". before the update, monitor mode used to be "mon0" After the update, after entering monitor mode it says "wlan0mon" not sure if this helps. I use Wicd network manager but the origional network manager also cant see any wireless networks, it says "device not managed".

Thanks

hi all,
I am new to cross compilation .I am trying to cross compile ntp for arm based zync soc board. so i have downloaded ntp source code version ntp-4.2.8-p2

i gave options for confiure file like this ./configure --host=arm-xilinix-linux-gnueabi --build=x86_64-pc-linux-gnu --prefix=/home/sntp CC=arm-xilinx-linux-gnueabi-gcc -with-yeilding-select=yes
configuration is succesful but when i am going for make it is throwing an error like this

cd ./html && \
../scripts/build/checkHtmlFileDates
cd . && \
./scripts/build/checkChangeLog
make all-recursive
make[1]: Entering directory `/home/SNTP/ntp-4.2.8p2'
Making all in sntp
make[2]: Entering directory `/home/SNTP/ntp-4.2.8p2/sntp'
[ ! -r ./../COPYRIGHT ] \
|| [ check-COPYRIGHT-submake -nt ./../COPYRIGHT ] \
|| make check-COPYRIGHT-submake
cd ../libntp && make libntp.a
make[3]: Entering directory `/home/sumanth/SNTP/ntp-4.2.8p2/libntp'
CC systime.o
In file included from ../include/ntp.h:14:0,
from systime.c:9:
../include/ntp_crypto.h:27:25: fatal error: openssl/evp.h: No such file or directory
#include "openssl/evp.h"
^
compilation terminated.
make[3]: *** [systime.o] Error 1
make[3]: Leaving directory `/home/sumanth/SNTP/ntp-4.2.8p2/libntp'
make[2]: *** [../libntp/libntp.a] Error 2
make[2]: Leaving directory `/home/sumanth/SNTP/ntp-4.2.8p2/sntp'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/sumanth/SNTP/ntp-4.2.8p2'
make: *** [all] Error 2

suggest me how to fix this?

Regards
sumanth

I'm new to Linux and have a question regarding the updating of Linux Kernels.

Should I wait until a kernel update is offered through the update manager, or should I go and get an updated kernel from the update manager/view/linux kernels?

Hi.
I am completely new in Linux and I'm trying to learn as much as I can while doing my job.

I am following directions from a wi-fi card vendor. In it, they require to download Fedora 13 to the laptop, which I have already done so. uname -a displays:
Linux localhost.localdomain 2.6.33.3-85.fc13.i868.PAE #1.

The directions ask to update the kernel with "yum install kernel-PAE". While connected to the internet, when I type that, the following error comes up:
Loaded plugin : presto, refresh-packagekit
Error: cannot retrieve repository metadata (repomd.xml) for repository: fedora
Please verify its path and try again

What does it mean and what file do I need to update with the right path? Please, let me know what other information you need.
Thank you very much