-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Updating OpenSSL in jail?
- Thread starter ClayM
- Start date
- Status
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
The system's normal version of SSL is normally 0.9.8za or zd or something like that; 0.9.8zg is current. If you're merely looking at the numbers and thinking "wow 0.9.8 sounds old since I've seen 1.0.2" or maybe "gee I'd like that to be 1.0.2d", you can't really fix that, the base system has stuff that it needs SSL for, and trying to upgrade that in-place breaks many things. Leave it alone.
You're certainly welcome to download OpenSSL of whatever version you'd prefer and install it in /usr/local. There should also be a port available for that. Recompile anything in your jail that you'd like to use the new version of SSL and it is likely to pick it up.
You're certainly welcome to download OpenSSL of whatever version you'd prefer and install it in /usr/local. There should also be a port available for that. Recompile anything in your jail that you'd like to use the new version of SSL and it is likely to pick it up.
The version in the jail I'm running is older than what's found in a newly created jail.
I believe it was. Hasn't broken, didn't want to fix it :)
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
Well that would explain the older version of openssl. Only way to fix that, at least from what I've read (I'm no expert by any stretch), is to recreate the jail and destroy the old one. There do seem to be ways to update jails from the FreeBSD base OS under certain circumstances but I'm not sure if that's possible with FreeNAS and Warden.
RuudschMaHinda
Cadet
- Joined
- Nov 5, 2013
- Messages
- 8
Sorry to open this again, I have a jail I created with FreeNAS 8.x and am running the latest 9.3 now. In the jail I have the latest openssl 1.0.2g running. But whenever I check my ssl status I seem to be running an older version of ssl, at least nginx doesn't revognize TLS1.1 and TLS1.0
This is bumming me out. Is there any way to tell nginx to use openssl from within the jail? If it isn't already, what's the problem then? recreating that jail will be really hard work, since it is a production system!
Or is it something I have to add to the sysctls in the jails configuration?
This is bumming me out. Is there any way to tell nginx to use openssl from within the jail? If it isn't already, what's the problem then? recreating that jail will be really hard work, since it is a production system!
Or is it something I have to add to the sysctls in the jails configuration?
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
The base system isn't going to use the SSL from inside a jail. That doesn't make a lot of sense.
The stuff in the jail will use the SSL from that jail if it is properly configured to do so. The usual mistake is that it hasn't been configured to do so, or that it may need to be re-linked in order to get the newer version incorporated.
The stuff in the jail will use the SSL from that jail if it is properly configured to do so. The usual mistake is that it hasn't been configured to do so, or that it may need to be re-linked in order to get the newer version incorporated.
RuudschMaHinda
Cadet
- Joined
- Nov 5, 2013
- Messages
- 8
Well, how do I do that? I want the jail system to use the openssl installed in the jail. But it seems to be using the openssl from the base system. (so the reverse of what you thought I meant)
RuudschMaHinda
Cadet
- Joined
- Nov 5, 2013
- Messages
- 8
hmm.. I used pkg install to install openssl, so should I uninstall it and reinstall using ports?
RuudschMaHinda
Cadet
- Joined
- Nov 5, 2013
- Messages
- 8
Oh boy, well, that will be an interesting weekend then. hah!
I'll update my findings here once I got around to it. If/when I was successfull, I already wish to thank you!
I'll update my findings here once I got around to it. If/when I was successfull, I already wish to thank you!
RuudschMaHinda
Cadet
- Joined
- Nov 5, 2013
- Messages
- 8
I finally got nginx using TLS 1.2!
I had to edit my nginx.conf file like this
I did not have the "spdy" enabled. If spdy won't work for you, try the "http2" instead. If that doesn't work, pkg update and pkg upgrade and try again. If all this doesn't work either, I don't know as well.
There was no recompiling needed and I still use the packages installed by pkg. I hope this helps. I now get an A+ on https://www.ssllabs.com/ssltest/
I had to edit my nginx.conf file like this
Code:
server {
listen 443 ssl spdy;
# listen 443 ssl http2;
# listen [::]:443 ssl spdy;
# listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /path/to/certificate/example.com.crt;
ssl_certificate_key /path/to/private/key/private.key;I did not have the "spdy" enabled. If spdy won't work for you, try the "http2" instead. If that doesn't work, pkg update and pkg upgrade and try again. If all this doesn't work either, I don't know as well.
There was no recompiling needed and I still use the packages installed by pkg. I hope this helps. I now get an A+ on https://www.ssllabs.com/ssltest/
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
SPDY is no longer supported by nginx. https://www.nginx.com/blog/nginx-1-9-5/
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Oh snap, I managed to entirely miss out on re-engineering our web servers to support that... I suppose I can now say that entire protocols are birthed and die between the major upgrade cycles around here, haha.
RuudschMaHinda
Cadet
- Joined
- Nov 5, 2013
- Messages
- 8
As stated in my nginx.conf and my comment right under it, if spdy doesn't work, you should use http2. it is commented out in my config. but it is there for newer builds of nginx.
- Status
Related topics on forums.truenas.com for thread: "Updating OpenSSL in jail?"
Similar threads
