1. 查看nginx openssl版本是否受影响 # ldd `which nginx`|grep ssl libssl.so.10 => /usr/lib64/libssl.so.10 (0x00000039dda00000) # strings /usr/lib64/libssl.so.10|grep OpenSSL OpenSSLDie SSLv2 part of OpenSSL 1.0.0-fips 29 Mar 2010 SSLv3 part of OpenSSL 1.0.0-fips 29 Mar 2010 TLSv1 part of OpenSSL 1.0.0-fips 29 Mar 2010 DTLSv1 part of OpenSSL 1.0.0-fips 29 Mar 2010 OpenSSL 1.0.0-fips 29 Mar 2010 2. 从新编译nginx # wget ftp://ftp.openssl.org/source/openssl-1.0.1g.tar.gz # curl -o pcre-8.35.tar.gz ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.35.tar.gz # wget http://nginx.org/download/nginx-1.4.6.tar.gz # ./configure --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx/nginx.pid \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --user=nginx --group=nginx \ --with-pcre=/root/pcre-8.35 \ --with-openssl=/root/openssl-1.0.1g \ --with-http_gzip_static_module \ --with-http_ssl_module # make # cp /usr/sbin/nginx /usr/sbin/nginxold # cp nginx-1.4.6/objs/nginx /usr/sbin/nginx 3. 重启nginx 附:使用自定义的OpenSSL库编译nginx # vi auto/lib/openssl/conf :31,34s/\/.openssl//g 修改 auto/lib/openssl/conf CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include" CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h" CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a" CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a" 为: CORE_INCS="$CORE_INCS $OPENSSL/include" CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h" CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a" CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a" 从新编译 ./configure --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx/nginx.pid \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --user=nginx --group=nginx \ --with-pcre=/root/pcre-8.35 \ --with-http_gzip_static_module \ --with-http_ssl_module \ --with-openssl=/usr/local/ssl