Warning: require() [function.require]: open_basedir restriction in effect. File(/usr/local/php-spez-5.2.17/lib/php/geshi/geshi.php) is not within the allowed path(s): (/usr/local/php/lib/php/:/home/www/:/usr/bin/:/tmp:/usr/local/php52/lib/php/) in /home/www/web25/html/syswiki/extensions/SyntaxHighlight_GeSHi/SyntaxHighlight_GeSHi.class.php on line 376
Openssl patch – HS Syswiki

Openssl patch

Aus HS Syswiki
(Unterschied zwischen Versionen)
Wechseln zu: Navigation, Suche
Zeile 228: Zeile 228:
 
:tux25.hoststar.ch
 
:tux25.hoststar.ch
 
:tux27.hoststar.ch
 
:tux27.hoststar.ch
 +
:tux29.hoststar.ch
 
:tux31.hoststar.ch
 
:tux31.hoststar.ch
 
:tux163.hoststar.ch
 
:tux163.hoststar.ch

Version vom 11. September 2015, 09:24 Uhr


from bkp001, copy the rpm packages to the target server. 

scp -rp /root/openssl_upgrade tuxNN:/usr/local/src/rpm/.

unblock these folders 

chattr -i /usr/local/proftpd/bin /sbin /usr/sbin /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin /bin


Automated Procedure

You can use the script openssl_upgrade.sh that should do all the following steps: 

/usr/local/src/rpm/openssl_upgrade/upgrade.sh

The script writes a logfile to /var/tmp/openssl_upgrade.sh.log.

Manual Procedure

install the packages db43 and sqlite2 

zypper -n install db43 sqlite2

install customopenssl rpm 

cd /usr/local/src/rpm/openssl_upgrade
rpm -iHv customopenssl-1.0.1j-3.x86_64.rpm

backup old conf files from apache2 and the service 

MYDATE=$(date +%Y%m%d)
cp -rp /usr/local/apache2/conf /usr/local/apache_conf.$MYDATE
/etc/init.d/apache2 stop

install the following rpm for apache2 

rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-prefork-2.2.29-3.x86_64.rpm
rpm -Uhv *apr*

rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-worker-2.2.29-3.x86_64.rpm 

sed -i "s/HTTPD=.*/HTTPD\='\/usr\/local\/apache2-2.2.29\/sbin\/httpd2-prefork'/" /usr/local/apache2/sbin/apache2ctl
mv /usr/local/apache2/conf /usr/local/apache2/conf.orig 
cp -rp /usr/local/apache_conf.$MYDATE /usr/local/apache2/conf

comment the following lines in /usr/local/apache2/conf/httpd.conf 

#LoadModule ldap_module             lib64/apache2-prefork/mod_ldap.so
#LoadModule authnz_ldap_module      lib64/apache2-prefork/mod_authnz_ldap.so
rpm -Uhv apache2-mod_bw-0.7-2.x86_64.rpm apache2-confixx-suexec-1.0.8-25.x86_64.rpm

restart apache2 

/etc/init.d/apache2 restart

proftpd 

cd /usr/local/src/rpm/openssl_upgrade
rm -rf /usr/local/proftpd_etc_backup
cp -rp /usr/local/proftpd/etc /usr/local/proftpd_etc_backup
chown root.root /usr/local/proftpd_etc_backup
chmod 700 /usr/local/proftpd_etc_backup
rpm -UHv proftpd-1.3.5-2.x86_64.rpm
if test -h /usr/local/proftpd ; then rm /usr/local/proftpd ; fi
ln -s /usr/local/proftpd-1.3.5 /usr/local/proftpd
 
cp -rp /usr/local/proftpd_etc_backup/* /usr/local/proftpd/etc/.
sed -i "s/TLSProtocol.*/TLSProtocol TLSv1 TLSv1.1 TLSv1.2/g" /usr/local/proftpd/etc/proftpd.conf
chmod 440 /usr/local/proftpd/etc/virtualpasswd
/etc/init.d/proftpd restart

sasl 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uhv --nodeps cyrus-sasl-*
rpm -e --nodeps cyrus-sasl-32bit-2.1.22-82
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
/etc/init.d/saslauthd stop
/etc/init.d/saslauthd start

sendmail 

cd /usr/local/src/rpm/openssl_upgrade
cp -rp /etc/mail /etc/sendmail_mail_backup
chown root.root /etc/sendmail_mail_backup
chmod 700 /etc/sendmail_mail_backup
cp /usr/share/ssl/certs/* /usr/local/ssl/certs/.
rpm -Uhv sendmail-8.14.9-1.x86_64.rpm
cp -rp /etc/sendmail_mail_backup/* /etc/mail/.
cd /etc/mail
newaliases
rm *.db
make
sed -i "s/\/usr\/share\/ssl\/certs/\/usr\/local\/ssl\/certs/g" /etc/mail/sendmail.cf
/etc/init.d/sendmail stop
/etc/init.d/sendmail start

courier-authlib / courier-imap (evtl vorher email backup machen!!!) 

cd /usr/local/src/rpm/openssl_upgrade
ln -s /usr/local/sbin/courierlogger /usr/sbin/courierlogger
cp -rp /etc/courier-imap /etc/courier_imap_etc_backup
chown root.root /etc/courier_imap_etc_backup
chmod 700 /etc/courier_imap_etc_backup
cp -rp /etc/authlib /etc/authlib_etc_backup
chown root.root /etc/authlib_etc_backup
chmod 700 /etc/authlib_etc_backup
rpm -Uhv courier-authlib-0.66.1-13.x86_64.rpm courier-unicode-1.1-1.x86_64.rpm courier-authlib-userdb-0.66.1-13.x86_64.rpm courier-imap-4.15.1-1.suse1030.x86_64.rpm
sed -i "s/IMAP_TLS_REQUIRED=.*/IMAP_TLS_REQUIRED=0/g" /etc/courier-imap/imapd-ssl
sed -i "s/POP3_TLS_REQUIRED=.*/POP_TLS_REQUIRED=0/g" /etc/courier-imap/pop3d-ssl
 
sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/imapd-ssl
sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/pop3d-ssl
 
sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/imapd-ssl
sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/pop3d-ssl
cp /etc/rc.d/init.d/courier-authlib /etc/init.d/.
chmod 755 /etc/init.d/courier-authlib

cp -rp /etc/authlib_etc_backup/* /etc/authlib /etc/authlib_etc_backup/. 

cp -rp /etc/authlib_etc_backup/* /etc/authlib/.


change bits to BITS=2048 and execute the script 

sed -i 's|BITS=768|BITS=2048|g' /usr/lib/courier-imap/share/mkdhparams
/usr/lib/courier-imap/share/mkdhparams
/etc/init.d/courier-imap restart
/etc/init.d/courier-authlib restart

bind 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uhv bind-9.10.1-1.x86_64.rpm
chkconfig courier-authlib on

In der Datei /usr/local/nagios/libexec/check_bac_procs folgende Zeile einfügen 'couriertls -statusfd=7 -printx509=9 -localfd=5 -tcpd -server',

Testen (wenn Test von einem Hosting Produktiv-Server aus, muss der neue OpenSSL Client unter "/usr/local/ssl/bin" verwendet werden): 

openssl s_client -showcerts -connect login-21.loginserver.ch:995

Sollte folgende Ausgabe ergeben: 

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol  : TLSv1.2

Wichtig ist bei Protocol: TLSv1.2


already patched servers
CH
tux1.hoststar.ch
tux3.hoststar.ch
tux5.hoststar.ch
tux7.hoststar.ch
tux9.hoststar.ch
tux11.hoststar.ch
tux13.hoststar.ch
tux15.hoststar.ch
tux17.hoststar.ch
tux21.hoststar.ch
tux23.hoststar.ch
tux25.hoststar.ch
tux27.hoststar.ch
tux29.hoststar.ch
tux31.hoststar.ch
tux163.hoststar.ch
tux153.hoststar.ch
tux155.hoststar.ch
tux157.hoststar.ch
tux193.hoststar.ch
tux195.hoststar.ch
tux197.hoststar.ch
tux247.hoststar.ch
tux261.hoststar.ch
tux281.hoststar.ch
tux283.hoststar.ch
tux285.hoststar.ch
tux287.hoststar.ch
tux289.hoststar.ch
tux291.hoststar.ch
tux293.hoststar.ch
tux295.hoststar.ch
tux297.hoststar.ch
tux301.hoststar.ch
tux303.hoststar.ch
tux305.hoststar.ch
tux307.hoststar.ch
AT
-done on all at server (09.09.2015)
Reseller
-done on all res server (09.09.2015)
Von „http://syswiki.internet-license.net/index.php?title=Openssl_patch&oldid=584
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Navigation
Werkzeuge