Openssl patch
Dna (Diskussion | Beiträge) |
|||
(15 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 3: | Zeile 3: | ||
= Status = <!--T:1--> | = Status = <!--T:1--> | ||
+ | ;pending servers | ||
+ | :tux113.hoststar.ch | ||
+ | :tux117.hoststar.ch | ||
+ | :tux121.hoststar.ch | ||
+ | :tux123.hoststar.ch | ||
+ | :tux125.hoststar.ch | ||
+ | :tux127.hoststar.ch | ||
+ | :tux129.hoststar.ch | ||
+ | :tux133.hoststar.ch | ||
+ | :tux135.hoststar.ch | ||
+ | :tux137.hoststar.ch | ||
+ | :tux141.hoststar.ch | ||
+ | :tux143.hoststar.ch | ||
+ | :tux145.hoststar.ch | ||
+ | :tux147.hoststar.ch | ||
+ | :tux149.hoststar.ch | ||
+ | :tux161.hoststar.ch | ||
+ | :tux165.hoststar.ch | ||
+ | :tux169.hoststar.ch | ||
+ | :tux171.hoststar.ch | ||
+ | :tux175.hoststar.ch | ||
+ | :tux177.hoststar.ch | ||
+ | :tux181.hoststar.ch | ||
+ | :tux183.hoststar.ch | ||
+ | :tux185.hoststar.ch | ||
+ | :tux187.hoststar.ch | ||
+ | :tux189.hoststar.ch | ||
+ | :tux191.hoststar.ch | ||
+ | :tux201.hoststar.ch | ||
+ | :tux203.hoststar.ch | ||
+ | :tux205.hoststar.ch | ||
+ | :tux207.hoststar.ch | ||
+ | :tux209.hoststar.ch | ||
+ | :tux211.hoststar.ch | ||
+ | :tux213.hoststar.ch | ||
+ | :tux215.hoststar.ch | ||
+ | :tux217.hoststar.ch | ||
+ | :tux221.hoststar.ch | ||
+ | :tux223.hoststar.ch | ||
+ | :tux227.hoststar.ch | ||
+ | :tux229.hoststar.ch | ||
+ | :tux231.hoststar.ch | ||
+ | :tux233.hoststar.ch | ||
+ | :tux235.hoststar.ch | ||
+ | :tux237.hoststar.ch | ||
+ | :tux241.hoststar.ch | ||
+ | :tux243.hoststar.ch | ||
+ | :tux249.hoststar.ch | ||
+ | :tux251.hoststar.ch | ||
+ | :tux253.hoststar.ch | ||
+ | :tux265.hoststar.ch | ||
+ | |||
;already patched servers | ;already patched servers | ||
Zeile 8: | Zeile 60: | ||
:tux1.hoststar.ch until tux111.hoststar.ch | :tux1.hoststar.ch until tux111.hoststar.ch | ||
+ | :tux131.hoststar.ch (22.09.2015) | ||
:tux163.hoststar.ch | :tux163.hoststar.ch | ||
:tux153.hoststar.ch | :tux153.hoststar.ch | ||
:tux155.hoststar.ch | :tux155.hoststar.ch | ||
:tux157.hoststar.ch | :tux157.hoststar.ch | ||
+ | :tux167.hoststar.ch (01.10.2015) | ||
:tux193.hoststar.ch | :tux193.hoststar.ch | ||
:tux195.hoststar.ch | :tux195.hoststar.ch | ||
:tux197.hoststar.ch | :tux197.hoststar.ch | ||
+ | :tux245.hoststar.ch (26.11.2015) | ||
:tux247.hoststar.ch | :tux247.hoststar.ch | ||
:tux261.hoststar.ch | :tux261.hoststar.ch | ||
+ | :tux267.hoststar.ch (19.09.2015) | ||
+ | :tux269.hoststar.ch (19.09.2015) | ||
+ | :tux271.hoststar.ch (19.09.2015) | ||
+ | :tux273.hoststar.ch (19.09.2015) | ||
+ | :tux275.hoststar.ch (18.09.2015) | ||
+ | :tux277.hoststar.ch (18.09.2015) | ||
:tux281.hoststar.ch | :tux281.hoststar.ch | ||
:tux283.hoststar.ch | :tux283.hoststar.ch | ||
Zeile 36: | Zeile 97: | ||
;Reseller | ;Reseller | ||
:-done on all res server (09.09.2015) | :-done on all res server (09.09.2015) | ||
− | |||
− | |||
= Known issues = <!--T:1--> | = Known issues = <!--T:1--> | ||
− | php.ini settings php module missing | + | *courier problem with gid |
− | php.ini settings php53spez missing | + | **only on tux11, tux17 and tux37, group id for poponly is wrong (502 instead of 102) |
− | php.ini settings php54spez missing | + | *popauth.db error messages |
− | php56 ioncube, imagick missing | + | *<del>courier-authlib not starting at boot</del> |
− | + | *<del>php.ini settings php module missing</del> | |
+ | *<del>php.ini settings php53spez missing</del> | ||
+ | *<del>php.ini settings php54spez missing</del> | ||
+ | *<del>php56 ioncube, imagick missing</del> | ||
+ | *<del>php54spez mysqli not working</del> | ||
= Prerequirements = <!--T:1--> | = Prerequirements = <!--T:1--> | ||
from bkp001, copy the rpm packages to the target server. | from bkp001, copy the rpm packages to the target server. | ||
<syntaxhighlight lang="bash" style="font-size:9pt;"> | <syntaxhighlight lang="bash" style="font-size:9pt;"> | ||
− | + | bash /root/tch/openssl_update/deploy tuxXX | |
+ | </syntaxhighlight> | ||
+ | |||
+ | or copy to multiple servers | ||
+ | <syntaxhighlight lang="bash" style="font-size:9pt;"> | ||
+ | bash /root/tch/openssl_update/deploy tuxXX tuxXY tuxYY | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Zeile 57: | Zeile 125: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | or with the command | ||
+ | <syntaxhighlight lang="bash" style="font-size:9pt;"> | ||
+ | hsbinunlock | ||
+ | </syntaxhighlight> | ||
− | + | = Automated Procedure = | |
You can use the script '''openssl_upgrade.sh''' that should do all the following steps: | You can use the script '''openssl_upgrade.sh''' that should do all the following steps: | ||
/usr/local/src/rpm/openssl_upgrade/upgrade.sh | /usr/local/src/rpm/openssl_upgrade/upgrade.sh | ||
The script writes a logfile to '''/var/tmp/openssl_upgrade.sh.log'''. | The script writes a logfile to '''/var/tmp/openssl_upgrade.sh.log'''. | ||
− | + | = Manual Procedure (INCOMPLETE)= | |
install the packages db43 and sqlite2 | install the packages db43 and sqlite2 | ||
<syntaxhighlight lang="bash" style="font-size:9pt;"> | <syntaxhighlight lang="bash" style="font-size:9pt;"> | ||
Zeile 264: | Zeile 336: | ||
</pre> | </pre> | ||
Wichtig ist bei Protocol: '''TLSv1.2''' | Wichtig ist bei Protocol: '''TLSv1.2''' | ||
+ | |||
+ | |||
+ | symlink für curl setzen | ||
+ | <syntaxhighlight lang="bash" style="font-size:9pt;"> | ||
+ | ln -s /usr/local/bin/curl /usr/bin/curl | ||
+ | </syntaxhighlight> |
Aktuelle Version vom 26. November 2015, 15:02 Uhr
Inhaltsverzeichnis |
[Bearbeiten] Status
- pending servers
- tux113.hoststar.ch
- tux117.hoststar.ch
- tux121.hoststar.ch
- tux123.hoststar.ch
- tux125.hoststar.ch
- tux127.hoststar.ch
- tux129.hoststar.ch
- tux133.hoststar.ch
- tux135.hoststar.ch
- tux137.hoststar.ch
- tux141.hoststar.ch
- tux143.hoststar.ch
- tux145.hoststar.ch
- tux147.hoststar.ch
- tux149.hoststar.ch
- tux161.hoststar.ch
- tux165.hoststar.ch
- tux169.hoststar.ch
- tux171.hoststar.ch
- tux175.hoststar.ch
- tux177.hoststar.ch
- tux181.hoststar.ch
- tux183.hoststar.ch
- tux185.hoststar.ch
- tux187.hoststar.ch
- tux189.hoststar.ch
- tux191.hoststar.ch
- tux201.hoststar.ch
- tux203.hoststar.ch
- tux205.hoststar.ch
- tux207.hoststar.ch
- tux209.hoststar.ch
- tux211.hoststar.ch
- tux213.hoststar.ch
- tux215.hoststar.ch
- tux217.hoststar.ch
- tux221.hoststar.ch
- tux223.hoststar.ch
- tux227.hoststar.ch
- tux229.hoststar.ch
- tux231.hoststar.ch
- tux233.hoststar.ch
- tux235.hoststar.ch
- tux237.hoststar.ch
- tux241.hoststar.ch
- tux243.hoststar.ch
- tux249.hoststar.ch
- tux251.hoststar.ch
- tux253.hoststar.ch
- tux265.hoststar.ch
- already patched servers
- CH
- tux1.hoststar.ch until tux111.hoststar.ch
- tux131.hoststar.ch (22.09.2015)
- tux163.hoststar.ch
- tux153.hoststar.ch
- tux155.hoststar.ch
- tux157.hoststar.ch
- tux167.hoststar.ch (01.10.2015)
- tux193.hoststar.ch
- tux195.hoststar.ch
- tux197.hoststar.ch
- tux245.hoststar.ch (26.11.2015)
- tux247.hoststar.ch
- tux261.hoststar.ch
- tux267.hoststar.ch (19.09.2015)
- tux269.hoststar.ch (19.09.2015)
- tux271.hoststar.ch (19.09.2015)
- tux273.hoststar.ch (19.09.2015)
- tux275.hoststar.ch (18.09.2015)
- tux277.hoststar.ch (18.09.2015)
- tux281.hoststar.ch
- tux283.hoststar.ch
- tux285.hoststar.ch
- tux287.hoststar.ch
- tux289.hoststar.ch
- tux291.hoststar.ch
- tux293.hoststar.ch
- tux295.hoststar.ch
- tux297.hoststar.ch
- tux301.hoststar.ch
- tux303.hoststar.ch
- tux305.hoststar.ch
- tux307.hoststar.ch
- AT
- -done on all at server (09.09.2015)
- Reseller
- -done on all res server (09.09.2015)
[Bearbeiten] Known issues
- courier problem with gid
- only on tux11, tux17 and tux37, group id for poponly is wrong (502 instead of 102)
- popauth.db error messages
courier-authlib not starting at bootphp.ini settings php module missingphp.ini settings php53spez missingphp.ini settings php54spez missingphp56 ioncube, imagick missingphp54spez mysqli not working
[Bearbeiten] Prerequirements
from bkp001, copy the rpm packages to the target server.
bash /root/tch/openssl_update/deploy tuxXX
or copy to multiple servers
bash /root/tch/openssl_update/deploy tuxXX tuxXY tuxYY
unblock these folders
chattr -i /usr/local/proftpd/bin /sbin /usr/sbin /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin /bin
or with the command
hsbinunlock
[Bearbeiten] Automated Procedure
You can use the script openssl_upgrade.sh that should do all the following steps:
/usr/local/src/rpm/openssl_upgrade/upgrade.sh
The script writes a logfile to /var/tmp/openssl_upgrade.sh.log.
[Bearbeiten] Manual Procedure (INCOMPLETE)
install the packages db43 and sqlite2
zypper -n install db43 sqlite2
install customopenssl rpm
cd /usr/local/src/rpm/openssl_upgrade rpm -iHv customopenssl-1.0.1j-3.x86_64.rpm
backup old conf files from apache2 and the service
MYDATE=$(date +%Y%m%d) cp -rp /usr/local/apache2/conf /usr/local/apache_conf.$MYDATE /etc/init.d/apache2 stop
install the following rpm for apache2
rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-prefork-2.2.29-3.x86_64.rpm rpm -Uhv *apr*
rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-worker-2.2.29-3.x86_64.rpm
sed -i "s/HTTPD=.*/HTTPD\='\/usr\/local\/apache2-2.2.29\/sbin\/httpd2-prefork'/" /usr/local/apache2/sbin/apache2ctl mv /usr/local/apache2/conf /usr/local/apache2/conf.orig cp -rp /usr/local/apache_conf.$MYDATE /usr/local/apache2/conf
comment the following lines in /usr/local/apache2/conf/httpd.conf
#LoadModule ldap_module lib64/apache2-prefork/mod_ldap.so #LoadModule authnz_ldap_module lib64/apache2-prefork/mod_authnz_ldap.so
rpm -Uhv apache2-mod_bw-0.7-2.x86_64.rpm apache2-confixx-suexec-1.0.8-25.x86_64.rpm
restart apache2
/etc/init.d/apache2 restart
proftpd
cd /usr/local/src/rpm/openssl_upgrade rm -rf /usr/local/proftpd_etc_backup cp -rp /usr/local/proftpd/etc /usr/local/proftpd_etc_backup chown root.root /usr/local/proftpd_etc_backup chmod 700 /usr/local/proftpd_etc_backup
rpm -UHv proftpd-1.3.5-2.x86_64.rpm
if test -h /usr/local/proftpd ; then rm /usr/local/proftpd ; fi ln -s /usr/local/proftpd-1.3.5 /usr/local/proftpd cp -rp /usr/local/proftpd_etc_backup/* /usr/local/proftpd/etc/. sed -i "s/TLSProtocol.*/TLSProtocol TLSv1 TLSv1.1 TLSv1.2/g" /usr/local/proftpd/etc/proftpd.conf chmod 440 /usr/local/proftpd/etc/virtualpasswd
/etc/init.d/proftpd restart
sasl
cd /usr/local/src/rpm/openssl_upgrade rpm -Uhv --nodeps cyrus-sasl-*
rpm -e --nodeps cyrus-sasl-32bit-2.1.22-82
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
/etc/init.d/saslauthd stop /etc/init.d/saslauthd start
sendmail
cd /usr/local/src/rpm/openssl_upgrade cp -rp /etc/mail /etc/sendmail_mail_backup chown root.root /etc/sendmail_mail_backup chmod 700 /etc/sendmail_mail_backup cp /usr/share/ssl/certs/* /usr/local/ssl/certs/.
rpm -Uhv sendmail-8.14.9-1.x86_64.rpm
cp -rp /etc/sendmail_mail_backup/* /etc/mail/.
cd /etc/mail newaliases rm *.db make
sed -i "s/\/usr\/share\/ssl\/certs/\/usr\/local\/ssl\/certs/g" /etc/mail/sendmail.cf
/etc/init.d/sendmail stop /etc/init.d/sendmail start
courier-authlib / courier-imap (evtl vorher email backup machen!!!)
cd /usr/local/src/rpm/openssl_upgrade ln -s /usr/local/sbin/courierlogger /usr/sbin/courierlogger cp -rp /etc/courier-imap /etc/courier_imap_etc_backup chown root.root /etc/courier_imap_etc_backup chmod 700 /etc/courier_imap_etc_backup
cp -rp /etc/authlib /etc/authlib_etc_backup chown root.root /etc/authlib_etc_backup chmod 700 /etc/authlib_etc_backup
rpm -Uhv courier-authlib-0.66.1-13.x86_64.rpm courier-unicode-1.1-1.x86_64.rpm courier-authlib-userdb-0.66.1-13.x86_64.rpm courier-imap-4.15.1-1.suse1030.x86_64.rpm
sed -i "s/IMAP_TLS_REQUIRED=.*/IMAP_TLS_REQUIRED=0/g" /etc/courier-imap/imapd-ssl sed -i "s/POP3_TLS_REQUIRED=.*/POP_TLS_REQUIRED=0/g" /etc/courier-imap/pop3d-ssl sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/imapd-ssl sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/pop3d-ssl sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/imapd-ssl sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/pop3d-ssl
cp /etc/rc.d/init.d/courier-authlib /etc/init.d/. chmod 755 /etc/init.d/courier-authlib
cp -rp /etc/authlib_etc_backup/* /etc/authlib /etc/authlib_etc_backup/.
cp -rp /etc/authlib_etc_backup/* /etc/authlib/.
change bits to BITS=2048 and execute the script
sed -i 's|BITS=768|BITS=2048|g' /usr/lib/courier-imap/share/mkdhparams /usr/lib/courier-imap/share/mkdhparams
/etc/init.d/courier-imap restart /etc/init.d/courier-authlib restart
bind
cd /usr/local/src/rpm/openssl_upgrade rpm -Uhv bind-9.10.1-1.x86_64.rpm
chkconfig courier-authlib on
curl
cd /usr/local/src/rpm/openssl_upgrade rpm -Uvh libcurl4-7.44.0-1.1.x86_64.rpm curl-7.44.0-1.1.x86_64.rpm curl-ca-bundle-7.44.0-1.1.x86_64.rpm
In der Datei /usr/local/nagios/libexec/check_bac_procs folgende Zeile einfügen
'couriertls -statusfd=7 -printx509=9 -localfd=5 -tcpd -server',
Testen (wenn Test von einem Hosting Produktiv-Server aus, muss der neue OpenSSL Client unter "/usr/local/ssl/bin" verwendet werden):
openssl s_client -showcerts -connect login-21.loginserver.ch:995
Sollte folgende Ausgabe ergeben:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2
Wichtig ist bei Protocol: TLSv1.2
symlink für curl setzen
ln -s /usr/local/bin/curl /usr/bin/curl