如何在 centos 7.2 上更新 OpenSSL？

Question

我用的是centos 7.2，我会安装Nginx-CT，它需要OpenSSL 1.0.2，当前版本如下：

[root@i001 ~]# rpm -qa|grep openssl
openssl-libs-1.0.1e-51.el7_2.4.x86_64
openssl-devel-1.0.1e-51.el7_2.4.x86_64
openssl-1.0.1e-51.el7_2.4.x86_64

我尝试在 fedora 库中下载 SRPM 包，

openssl-1.0.2d-2.fc23.src.rpm

重建它并安装，但有问题，

[root@i001 ~]# yum update openssl
Loaded plugins: axelget, langpacks
No metadata available for base
No metadata available for dockerrepo
No metadata available for elrepo
No metadata available for epel
No metadata available for extras
No metadata available for local
No metadata available for mariadb
No metadata available for nginx
No metadata available for remi-php70
No metadata available for remi-php70-test
No metadata available for remi-safe
No metadata available for salt-2015.8
No metadata available for updates
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-51.el7_2.4 will be updated
---> Package openssl.x86_64 1:1.0.2d-2.el7.centos will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.2d-2.el7.centos for package: 1:openssl-1.0.2d-2.el7.centos.x86_64
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:openssl-1.0.2d-2.el7.centos.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.4 will be updated
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-51.el7_2.4 for package: 1:openssl-devel-1.0.1e-51.el7_2.4.x86_64
---> Package openssl-libs.x86_64 1:1.0.2d-2.el7.centos will be an update
--> Processing Dependency: crypto-policies for package: 1:openssl-libs-1.0.2d-2.el7.centos.x86_64
--> Running transaction check
---> Package openssl-devel.x86_64 1:1.0.1e-51.el7_2.4 will be updated
---> Package openssl-devel.x86_64 1:1.0.2d-2.el7.centos will be an update
---> Package openssl-libs.x86_64 1:1.0.2d-2.el7.centos will be an update
--> Processing Dependency: crypto-policies for package: 1:openssl-libs-1.0.2d-2.el7.centos.x86_64
--> Finished Dependency Resolution
Error: Package: 1:openssl-libs-1.0.2d-2.el7.centos.x86_64 (local)
           Requires: crypto-policies
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

我该怎么办？

Answer 1

首先，让我说garethTheRed和Bratchley是正确的，因为 CentOS 不支持您尝试安装的 OpenSSL 软件包，因此不建议这样做。尝试这样做可能会导致系统出现问题。

如果您绝对必须安装它......据我所知，您正在尝试安装nginx-ct，它需要 OpenSSL 1.0.2 或更高版本，因为它需要SSL_CTX_add_server_custom_ext和SSL_CTX_set_signed_cert_timestamp_list。

使用 yum

正如其他人所指出的那样，为您的系统使用来自其他不受支持的存储库的软件包是一个坏主意。从 yum 输出的外观来看，它抱怨依赖于加密策略包（openssl-libs-1.0.2d-2 需要）。您可以尝试先安装加密策略包（也来自 Fedora 23 存储库）。

从源代码编译

正如Bratchley在此评论中指出的那样，您可以尝试使用特定版本的 OpenSSL 从源代码编译 nginx。以下是该教程中更新的启动命令：

# Install dependencies
sudo yum install unzip gcc pcre-devel zlib-devel make golang

# Grab needed files, correct as of 2016-04-08
wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz
wget http://nginx.org/download/nginx-1.9.14.tar.gz
wget -O nginx-ct.zip https://github.com/grahamedgecombe/nginx-ct/archive/master.zip
tar zxf openssl-1.0.2g.tar.gz
tar zxf nginx-1.9.14.tar.gz
unzip nginx-ct.zip

# Build nginx with openssl 1.0.2 and CT module
cd nginx-1.9.14/
./configure --with-http_ssl_module \
    --with-openssl=`realpath ../openssl-1.0.2g` \
    --add-module=`realpath ../nginx-ct-master`
make  # NOTE: when I tried building with -jN for speedup I encountered linker issues
sudo make install
cd ..

该教程中的其余命令应该能够按原样遵循。

最后的选择

或者，您可以尝试使用 BoringSSL，因为nginx-ct 支持它，尽管您似乎必须从源代码构建它。