Openssl patch

Aus HS Syswiki
(Unterschied zwischen Versionen)
Wechseln zu: Navigation, Suche
(Automated Procedure)
 
(11 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 3: Zeile 3:
  
 
= Status = <!--T:1-->
 
= Status = <!--T:1-->
 +
;pending servers
 +
:tux113.hoststar.ch
 +
:tux117.hoststar.ch
 +
:tux121.hoststar.ch
 +
:tux123.hoststar.ch
 +
:tux125.hoststar.ch
 +
:tux127.hoststar.ch
 +
:tux129.hoststar.ch
 +
:tux133.hoststar.ch
 +
:tux135.hoststar.ch
 +
:tux137.hoststar.ch
 +
:tux141.hoststar.ch
 +
:tux143.hoststar.ch
 +
:tux145.hoststar.ch
 +
:tux147.hoststar.ch
 +
:tux149.hoststar.ch
 +
:tux161.hoststar.ch
 +
:tux165.hoststar.ch
 +
:tux169.hoststar.ch
 +
:tux171.hoststar.ch
 +
:tux175.hoststar.ch
 +
:tux177.hoststar.ch
 +
:tux181.hoststar.ch
 +
:tux183.hoststar.ch
 +
:tux185.hoststar.ch
 +
:tux187.hoststar.ch
 +
:tux189.hoststar.ch
 +
:tux191.hoststar.ch
 +
:tux201.hoststar.ch
 +
:tux203.hoststar.ch
 +
:tux205.hoststar.ch
 +
:tux207.hoststar.ch
 +
:tux209.hoststar.ch
 +
:tux211.hoststar.ch
 +
:tux213.hoststar.ch
 +
:tux215.hoststar.ch
 +
:tux217.hoststar.ch
 +
:tux221.hoststar.ch
 +
:tux223.hoststar.ch
 +
:tux227.hoststar.ch
 +
:tux229.hoststar.ch
 +
:tux231.hoststar.ch
 +
:tux233.hoststar.ch
 +
:tux235.hoststar.ch
 +
:tux237.hoststar.ch
 +
:tux241.hoststar.ch
 +
:tux243.hoststar.ch
 +
:tux249.hoststar.ch
 +
:tux251.hoststar.ch
 +
:tux253.hoststar.ch
 +
:tux265.hoststar.ch
 +
  
 
;already patched servers
 
;already patched servers
Zeile 8: Zeile 60:
 
:tux1.hoststar.ch until tux111.hoststar.ch
 
:tux1.hoststar.ch until tux111.hoststar.ch
  
 +
:tux131.hoststar.ch (22.09.2015)
 
:tux163.hoststar.ch
 
:tux163.hoststar.ch
 
:tux153.hoststar.ch
 
:tux153.hoststar.ch
 
:tux155.hoststar.ch
 
:tux155.hoststar.ch
 
:tux157.hoststar.ch
 
:tux157.hoststar.ch
 +
:tux167.hoststar.ch (01.10.2015)
 
:tux193.hoststar.ch
 
:tux193.hoststar.ch
 
:tux195.hoststar.ch
 
:tux195.hoststar.ch
 
:tux197.hoststar.ch
 
:tux197.hoststar.ch
 +
:tux245.hoststar.ch (26.11.2015)
 
:tux247.hoststar.ch
 
:tux247.hoststar.ch
 
:tux261.hoststar.ch
 
:tux261.hoststar.ch
 +
:tux267.hoststar.ch (19.09.2015)
 +
:tux269.hoststar.ch (19.09.2015)
 +
:tux271.hoststar.ch (19.09.2015)
 +
:tux273.hoststar.ch (19.09.2015)
 +
:tux275.hoststar.ch (18.09.2015)
 +
:tux277.hoststar.ch (18.09.2015)
 
:tux281.hoststar.ch
 
:tux281.hoststar.ch
 
:tux283.hoststar.ch
 
:tux283.hoststar.ch
Zeile 36: Zeile 97:
 
;Reseller
 
;Reseller
 
:-done on all res server (09.09.2015)
 
:-done on all res server (09.09.2015)
 
 
  
 
= Known issues = <!--T:1-->
 
= Known issues = <!--T:1-->
Zeile 53: Zeile 112:
 
from bkp001, copy the rpm packages to the target server.
 
from bkp001, copy the rpm packages to the target server.
 
<syntaxhighlight lang="bash" style="font-size:9pt;">
 
<syntaxhighlight lang="bash" style="font-size:9pt;">
scp -rp /root/openssl_upgrade tuxNN:/usr/local/src/rpm/.
+
bash /root/tch/openssl_update/deploy tuxXX
 +
</syntaxhighlight>
 +
 
 +
or copy to multiple servers
 +
<syntaxhighlight lang="bash" style="font-size:9pt;">
 +
bash /root/tch/openssl_update/deploy tuxXX tuxXY tuxYY
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Zeile 61: Zeile 125:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
or with the command
 +
<syntaxhighlight lang="bash" style="font-size:9pt;">
 +
hsbinunlock
 +
</syntaxhighlight>
  
 
= Automated Procedure =
 
= Automated Procedure =
Zeile 67: Zeile 135:
 
The script writes a logfile to '''/var/tmp/openssl_upgrade.sh.log'''.
 
The script writes a logfile to '''/var/tmp/openssl_upgrade.sh.log'''.
  
== Manual Procedure ==
+
= Manual Procedure (INCOMPLETE)=
 
install the packages db43 and sqlite2
 
install the packages db43 and sqlite2
 
<syntaxhighlight lang="bash" style="font-size:9pt;">
 
<syntaxhighlight lang="bash" style="font-size:9pt;">
Zeile 268: Zeile 336:
 
</pre>
 
</pre>
 
Wichtig ist bei Protocol: '''TLSv1.2'''
 
Wichtig ist bei Protocol: '''TLSv1.2'''
 +
 +
 +
symlink für curl setzen
 +
<syntaxhighlight lang="bash" style="font-size:9pt;">
 +
ln -s /usr/local/bin/curl /usr/bin/curl
 +
</syntaxhighlight>

Aktuelle Version vom 26. November 2015, 15:02 Uhr


Inhaltsverzeichnis

[Bearbeiten] Status

pending servers
tux113.hoststar.ch
tux117.hoststar.ch
tux121.hoststar.ch
tux123.hoststar.ch
tux125.hoststar.ch
tux127.hoststar.ch
tux129.hoststar.ch
tux133.hoststar.ch
tux135.hoststar.ch
tux137.hoststar.ch
tux141.hoststar.ch
tux143.hoststar.ch
tux145.hoststar.ch
tux147.hoststar.ch
tux149.hoststar.ch
tux161.hoststar.ch
tux165.hoststar.ch
tux169.hoststar.ch
tux171.hoststar.ch
tux175.hoststar.ch
tux177.hoststar.ch
tux181.hoststar.ch
tux183.hoststar.ch
tux185.hoststar.ch
tux187.hoststar.ch
tux189.hoststar.ch
tux191.hoststar.ch
tux201.hoststar.ch
tux203.hoststar.ch
tux205.hoststar.ch
tux207.hoststar.ch
tux209.hoststar.ch
tux211.hoststar.ch
tux213.hoststar.ch
tux215.hoststar.ch
tux217.hoststar.ch
tux221.hoststar.ch
tux223.hoststar.ch
tux227.hoststar.ch
tux229.hoststar.ch
tux231.hoststar.ch
tux233.hoststar.ch
tux235.hoststar.ch
tux237.hoststar.ch
tux241.hoststar.ch
tux243.hoststar.ch
tux249.hoststar.ch
tux251.hoststar.ch
tux253.hoststar.ch
tux265.hoststar.ch


already patched servers
CH
tux1.hoststar.ch until tux111.hoststar.ch
tux131.hoststar.ch (22.09.2015)
tux163.hoststar.ch
tux153.hoststar.ch
tux155.hoststar.ch
tux157.hoststar.ch
tux167.hoststar.ch (01.10.2015)
tux193.hoststar.ch
tux195.hoststar.ch
tux197.hoststar.ch
tux245.hoststar.ch (26.11.2015)
tux247.hoststar.ch
tux261.hoststar.ch
tux267.hoststar.ch (19.09.2015)
tux269.hoststar.ch (19.09.2015)
tux271.hoststar.ch (19.09.2015)
tux273.hoststar.ch (19.09.2015)
tux275.hoststar.ch (18.09.2015)
tux277.hoststar.ch (18.09.2015)
tux281.hoststar.ch
tux283.hoststar.ch
tux285.hoststar.ch
tux287.hoststar.ch
tux289.hoststar.ch
tux291.hoststar.ch
tux293.hoststar.ch
tux295.hoststar.ch
tux297.hoststar.ch
tux301.hoststar.ch
tux303.hoststar.ch
tux305.hoststar.ch
tux307.hoststar.ch
AT
-done on all at server (09.09.2015)
Reseller
-done on all res server (09.09.2015)

[Bearbeiten] Known issues

  • courier problem with gid
    • only on tux11, tux17 and tux37, group id for poponly is wrong (502 instead of 102)
  • popauth.db error messages
  • courier-authlib not starting at boot
  • php.ini settings php module missing
  • php.ini settings php53spez missing
  • php.ini settings php54spez missing
  • php56 ioncube, imagick missing
  • php54spez mysqli not working

[Bearbeiten] Prerequirements

from bkp001, copy the rpm packages to the target server. 

bash /root/tch/openssl_update/deploy tuxXX

or copy to multiple servers 

bash /root/tch/openssl_update/deploy tuxXX tuxXY tuxYY

unblock these folders 

chattr -i /usr/local/proftpd/bin /sbin /usr/sbin /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin /bin

or with the command 

hsbinunlock

[Bearbeiten] Automated Procedure

You can use the script openssl_upgrade.sh that should do all the following steps: 

/usr/local/src/rpm/openssl_upgrade/upgrade.sh

The script writes a logfile to /var/tmp/openssl_upgrade.sh.log.

[Bearbeiten] Manual Procedure (INCOMPLETE)

install the packages db43 and sqlite2 

zypper -n install db43 sqlite2

install customopenssl rpm 

cd /usr/local/src/rpm/openssl_upgrade
rpm -iHv customopenssl-1.0.1j-3.x86_64.rpm

backup old conf files from apache2 and the service 

MYDATE=$(date +%Y%m%d)
cp -rp /usr/local/apache2/conf /usr/local/apache_conf.$MYDATE
/etc/init.d/apache2 stop

install the following rpm for apache2 

rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-prefork-2.2.29-3.x86_64.rpm
rpm -Uhv *apr*

rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-worker-2.2.29-3.x86_64.rpm 

sed -i "s/HTTPD=.*/HTTPD\='\/usr\/local\/apache2-2.2.29\/sbin\/httpd2-prefork'/" /usr/local/apache2/sbin/apache2ctl
mv /usr/local/apache2/conf /usr/local/apache2/conf.orig 
cp -rp /usr/local/apache_conf.$MYDATE /usr/local/apache2/conf

comment the following lines in /usr/local/apache2/conf/httpd.conf 

#LoadModule ldap_module             lib64/apache2-prefork/mod_ldap.so
#LoadModule authnz_ldap_module      lib64/apache2-prefork/mod_authnz_ldap.so
rpm -Uhv apache2-mod_bw-0.7-2.x86_64.rpm apache2-confixx-suexec-1.0.8-25.x86_64.rpm

restart apache2 

/etc/init.d/apache2 restart

proftpd 

cd /usr/local/src/rpm/openssl_upgrade
rm -rf /usr/local/proftpd_etc_backup
cp -rp /usr/local/proftpd/etc /usr/local/proftpd_etc_backup
chown root.root /usr/local/proftpd_etc_backup
chmod 700 /usr/local/proftpd_etc_backup
rpm -UHv proftpd-1.3.5-2.x86_64.rpm
if test -h /usr/local/proftpd ; then rm /usr/local/proftpd ; fi
ln -s /usr/local/proftpd-1.3.5 /usr/local/proftpd
 
cp -rp /usr/local/proftpd_etc_backup/* /usr/local/proftpd/etc/.
sed -i "s/TLSProtocol.*/TLSProtocol TLSv1 TLSv1.1 TLSv1.2/g" /usr/local/proftpd/etc/proftpd.conf
chmod 440 /usr/local/proftpd/etc/virtualpasswd
/etc/init.d/proftpd restart

sasl 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uhv --nodeps cyrus-sasl-*
rpm -e --nodeps cyrus-sasl-32bit-2.1.22-82
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
/etc/init.d/saslauthd stop
/etc/init.d/saslauthd start

sendmail 

cd /usr/local/src/rpm/openssl_upgrade
cp -rp /etc/mail /etc/sendmail_mail_backup
chown root.root /etc/sendmail_mail_backup
chmod 700 /etc/sendmail_mail_backup
cp /usr/share/ssl/certs/* /usr/local/ssl/certs/.
rpm -Uhv sendmail-8.14.9-1.x86_64.rpm
cp -rp /etc/sendmail_mail_backup/* /etc/mail/.
cd /etc/mail
newaliases
rm *.db
make
sed -i "s/\/usr\/share\/ssl\/certs/\/usr\/local\/ssl\/certs/g" /etc/mail/sendmail.cf
/etc/init.d/sendmail stop
/etc/init.d/sendmail start

courier-authlib / courier-imap (evtl vorher email backup machen!!!) 

cd /usr/local/src/rpm/openssl_upgrade
ln -s /usr/local/sbin/courierlogger /usr/sbin/courierlogger
cp -rp /etc/courier-imap /etc/courier_imap_etc_backup
chown root.root /etc/courier_imap_etc_backup
chmod 700 /etc/courier_imap_etc_backup
cp -rp /etc/authlib /etc/authlib_etc_backup
chown root.root /etc/authlib_etc_backup
chmod 700 /etc/authlib_etc_backup
rpm -Uhv courier-authlib-0.66.1-13.x86_64.rpm courier-unicode-1.1-1.x86_64.rpm courier-authlib-userdb-0.66.1-13.x86_64.rpm courier-imap-4.15.1-1.suse1030.x86_64.rpm
sed -i "s/IMAP_TLS_REQUIRED=.*/IMAP_TLS_REQUIRED=0/g" /etc/courier-imap/imapd-ssl
sed -i "s/POP3_TLS_REQUIRED=.*/POP_TLS_REQUIRED=0/g" /etc/courier-imap/pop3d-ssl
 
sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/imapd-ssl
sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/pop3d-ssl
 
sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/imapd-ssl
sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/pop3d-ssl
cp /etc/rc.d/init.d/courier-authlib /etc/init.d/.
chmod 755 /etc/init.d/courier-authlib

cp -rp /etc/authlib_etc_backup/* /etc/authlib /etc/authlib_etc_backup/. 

cp -rp /etc/authlib_etc_backup/* /etc/authlib/.


change bits to BITS=2048 and execute the script 

sed -i 's|BITS=768|BITS=2048|g' /usr/lib/courier-imap/share/mkdhparams
/usr/lib/courier-imap/share/mkdhparams
/etc/init.d/courier-imap restart
/etc/init.d/courier-authlib restart

bind 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uhv bind-9.10.1-1.x86_64.rpm
chkconfig courier-authlib on

curl 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uvh libcurl4-7.44.0-1.1.x86_64.rpm curl-7.44.0-1.1.x86_64.rpm curl-ca-bundle-7.44.0-1.1.x86_64.rpm

In der Datei /usr/local/nagios/libexec/check_bac_procs folgende Zeile einfügen 'couriertls -statusfd=7 -printx509=9 -localfd=5 -tcpd -server',

Testen (wenn Test von einem Hosting Produktiv-Server aus, muss der neue OpenSSL Client unter "/usr/local/ssl/bin" verwendet werden): 

openssl s_client -showcerts -connect login-21.loginserver.ch:995

Sollte folgende Ausgabe ergeben: 

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol  : TLSv1.2

Wichtig ist bei Protocol: TLSv1.2


symlink für curl setzen 

ln -s /usr/local/bin/curl /usr/bin/curl
Von „http://syswiki.internet-license.net/index.php?title=Openssl_patch&oldid=1014
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Navigation
Werkzeuge