We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Is it necessary to upgrade openssl to 1.0.2 version?
Re: Is it necessary to upgrade openssl to 1.0.2 version?
mephivio suggest to compile your own nginx with fresh openssl.baijianpeng wrote: In former steps, I had already upgraded my openssl to 1.0.2g, and checked and confirmed the version number. Why VestaCP still uses the old openssl 1.0.1e version to build nginx? How to let VestaCP install nginx based on the new openssl 1.0.2g I have upgraded to?
Again about software in VestaCP. Vesta uses system repository from your OS. In repo stable (and often older) software. If you want newer soft, then use different from system repo.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Thank you.
I made a test on my Virtualbox CentOS installation. Now I got it:
In fact, we don't need to "upgrade" the openssl to 1.0.2 to upgrade nginx. We can keep the current openssl 1.0.1e as it was, then download openssl 1.0.2g source code to a temp folder and extract it there, without install it, just extract the source code there.
Then, we download the latest nginx 1.9.13 source code package, and modify the "config" parameters to use the openssl 1.0.2g as "openssl path", then, start to compile nginx 1.9.13.
After such a compiling, the new nginx 1.9.13 will be "build with openssl 1.0.2g".
I will do such an compiling on my production server soon.
Thank you.
I made a test on my Virtualbox CentOS installation. Now I got it:
In fact, we don't need to "upgrade" the openssl to 1.0.2 to upgrade nginx. We can keep the current openssl 1.0.1e as it was, then download openssl 1.0.2g source code to a temp folder and extract it there, without install it, just extract the source code there.
Then, we download the latest nginx 1.9.13 source code package, and modify the "config" parameters to use the openssl 1.0.2g as "openssl path", then, start to compile nginx 1.9.13.
After such a compiling, the new nginx 1.9.13 will be "build with openssl 1.0.2g".
I will do such an compiling on my production server soon.
Thank you.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Ok, finally I compiled nginx 1.9.13 with openssl 1.0.2g, now I have ALPN supported.
Hope this will improve the performance.
Thank you.
Hope this will improve the performance.
Thank you.
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Because your Nginx was compiled with Openssl 1.0.1. Its very dangerous to change the openssl version of your Centos server. You should not do that.baijianpeng wrote:Well, since my server is running live website, I can risk to make any mistake. So I made a test on VirtualBox, then something very weird happened:
1. Install CentOS 7 64-bit minimal on VirtualBox;
2. check the openssl version, it is 1.0.1e;
3. upgrade the openssl to 1.0.2g and use above mentioned "ls" command;
4. check the openssl version, it is now 1.0.2g;
5. Install VestaCP;
6. After VestaCP installed, check the nginx version and got:
Did you noticed that it says "built with OpenSSL 1.0.1e-fips " ?Code: Select all
[root@localhost ~]# nginx -V nginx version: nginx/1.8.1 built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) built with OpenSSL 1.0.1e-nginx -V nginx version: nginx/1.9.14 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabledfips 11 Feb 2013 TLS SNI support enabled
In former steps, I had already upgraded my openssl to 1.0.2g, and checked and confirmed the version number. Why VestaCP still uses the old openssl 1.0.1e version to build nginx?
How to let VestaCP install nginx based on the new openssl 1.0.2g I have upgraded to?
Thank you.
If you want your site to work with Openssl 1.0.2, just compile Nginx with that version of Openssl, easy. You can even compile it with Libressl if you want.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Than you. I now know this.RevengeFNF wrote: Its very dangerous to change the openssl version of your Centos server. You should not do that.
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Congrats, man! ^_^baijianpeng wrote:Ok, finally I compiled nginx 1.9.13 with openssl 1.0.2g, now I have ALPN supported.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Now I got new issues:
When I ran "yum update -y", my VPS updated nginx automatically, which was performed with the openssl version that is installed , 1.0.1e.
So now I have a new upgraded Nginx v1.10.1, but it is "built with OpenSSL 1.0.1e-fips 11 Feb 2013", that means, I lost http/2 support now.
Did you noticed that the latest stable version of openssl is 1.0.2h?
Since openssl is a built-in software of VPS, not from VestaCP, I think, we should upgrade openssl to 1.0.2h BEFORE we starting to install VestaCP. Then we will have openssl 1.0.2h installed before VestaCP installing nginx.
And maybe this can ensure that when updating VPS with "yum update" command, Nginx will be upgraded with openssl 1.0.2h.
However, I don't know how to "seamlessly" upgrade default openssl 1.0.1e to 1.0.2h. I had posted a new topic on this:
http://forum.vestacp.com/viewtopic.php? ... 719#p45206
Hope someone will notice this issue and solve it for good.
Thank you.
When I ran "yum update -y", my VPS updated nginx automatically, which was performed with the openssl version that is installed , 1.0.1e.
So now I have a new upgraded Nginx v1.10.1, but it is "built with OpenSSL 1.0.1e-fips 11 Feb 2013", that means, I lost http/2 support now.
Did you noticed that the latest stable version of openssl is 1.0.2h?
Since openssl is a built-in software of VPS, not from VestaCP, I think, we should upgrade openssl to 1.0.2h BEFORE we starting to install VestaCP. Then we will have openssl 1.0.2h installed before VestaCP installing nginx.
And maybe this can ensure that when updating VPS with "yum update" command, Nginx will be upgraded with openssl 1.0.2h.
However, I don't know how to "seamlessly" upgrade default openssl 1.0.1e to 1.0.2h. I had posted a new topic on this:
http://forum.vestacp.com/viewtopic.php? ... 719#p45206
Hope someone will notice this issue and solve it for good.
Thank you.
Re: Is it necessary to upgrade openssl to 1.0.2 version?
Question, CentOS7, if I compile 1.0.2h from source and install...as described in this post... once it comes out on repo... how do I revert to repo version?