Openssl patch
Tch (Diskussion | Beiträge) |
|||
Zeile 234: | Zeile 234: | ||
;AT | ;AT | ||
− | : | + | :-done on all at server (09.09.2015) |
;Reseller | ;Reseller | ||
− | :-done on all res server ( | + | :-done on all res server (09.09.2015) |
Version vom 9. September 2015, 15:22 Uhr
from bkp001, copy the rpm packages to the target server.
scp -rp /root/openssl_upgrade tuxNN:/usr/local/src/rpm/.
unblock these folders
chattr -i /usr/local/proftpd/bin /sbin /usr/sbin /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin /bin
Automated Procedure
You can use the script openssl_upgrade.sh that should do all the following steps:
/usr/local/src/rpm/openssl_upgrade/upgrade.sh
The script writes a logfile to /var/tmp/openssl_upgrade.sh.log.
Manual Procedure
install the packages db43 and sqlite2
zypper -n install db43 sqlite2
install customopenssl rpm
cd /usr/local/src/rpm/openssl_upgrade rpm -iHv customopenssl-1.0.1j-3.x86_64.rpm
backup old conf files from apache2 and the service
MYDATE=$(date +%Y%m%d) cp -rp /usr/local/apache2/conf /usr/local/apache_conf.$MYDATE /etc/init.d/apache2 stop
install the following rpm for apache2
rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-prefork-2.2.29-3.x86_64.rpm rpm -Uhv *apr*
rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-worker-2.2.29-3.x86_64.rpm
sed -i "s/HTTPD=.*/HTTPD\='\/usr\/local\/apache2-2.2.29\/sbin\/httpd2-prefork'/" /usr/local/apache2/sbin/apache2ctl mv /usr/local/apache2/conf /usr/local/apache2/conf.orig cp -rp /usr/local/apache_conf.$MYDATE /usr/local/apache2/conf
comment the following lines in /usr/local/apache2/conf/httpd.conf
#LoadModule ldap_module lib64/apache2-prefork/mod_ldap.so #LoadModule authnz_ldap_module lib64/apache2-prefork/mod_authnz_ldap.so
rpm -Uhv apache2-mod_bw-0.7-2.x86_64.rpm apache2-confixx-suexec-1.0.8-25.x86_64.rpm
restart apache2
/etc/init.d/apache2 restart
proftpd
cd /usr/local/src/rpm/openssl_upgrade rm -rf /usr/local/proftpd_etc_backup cp -rp /usr/local/proftpd/etc /usr/local/proftpd_etc_backup chown root.root /usr/local/proftpd_etc_backup chmod 700 /usr/local/proftpd_etc_backup
rpm -UHv proftpd-1.3.5-2.x86_64.rpm
if test -h /usr/local/proftpd ; then rm /usr/local/proftpd ; fi ln -s /usr/local/proftpd-1.3.5 /usr/local/proftpd cp -rp /usr/local/proftpd_etc_backup/* /usr/local/proftpd/etc/. sed -i "s/TLSProtocol.*/TLSProtocol TLSv1 TLSv1.1 TLSv1.2/g" /usr/local/proftpd/etc/proftpd.conf chmod 440 /usr/local/proftpd/etc/virtualpasswd
/etc/init.d/proftpd restart
sasl
cd /usr/local/src/rpm/openssl_upgrade rpm -Uhv --nodeps cyrus-sasl-*
rpm -e --nodeps cyrus-sasl-32bit-2.1.22-82
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
/etc/init.d/saslauthd stop /etc/init.d/saslauthd start
sendmail
cd /usr/local/src/rpm/openssl_upgrade cp -rp /etc/mail /etc/sendmail_mail_backup chown root.root /etc/sendmail_mail_backup chmod 700 /etc/sendmail_mail_backup cp /usr/share/ssl/certs/* /usr/local/ssl/certs/.
rpm -Uhv sendmail-8.14.9-1.x86_64.rpm
cp -rp /etc/sendmail_mail_backup/* /etc/mail/.
cd /etc/mail newaliases rm *.db make
sed -i "s/\/usr\/share\/ssl\/certs/\/usr\/local\/ssl\/certs/g" /etc/mail/sendmail.cf
/etc/init.d/sendmail stop /etc/init.d/sendmail start
courier-authlib / courier-imap (evtl vorher email backup machen!!!)
cd /usr/local/src/rpm/openssl_upgrade ln -s /usr/local/sbin/courierlogger /usr/sbin/courierlogger cp -rp /etc/courier-imap /etc/courier_imap_etc_backup chown root.root /etc/courier_imap_etc_backup chmod 700 /etc/courier_imap_etc_backup
cp -rp /etc/authlib /etc/authlib_etc_backup chown root.root /etc/authlib_etc_backup chmod 700 /etc/authlib_etc_backup
rpm -Uhv courier-authlib-0.66.1-13.x86_64.rpm courier-unicode-1.1-1.x86_64.rpm courier-authlib-userdb-0.66.1-13.x86_64.rpm courier-imap-4.15.1-1.suse1030.x86_64.rpm
sed -i "s/IMAP_TLS_REQUIRED=.*/IMAP_TLS_REQUIRED=0/g" /etc/courier-imap/imapd-ssl sed -i "s/POP3_TLS_REQUIRED=.*/POP_TLS_REQUIRED=0/g" /etc/courier-imap/pop3d-ssl sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/imapd-ssl sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/pop3d-ssl sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/imapd-ssl sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/pop3d-ssl
cp /etc/rc.d/init.d/courier-authlib /etc/init.d/. chmod 755 /etc/init.d/courier-authlib
cp -rp /etc/authlib_etc_backup/* /etc/authlib /etc/authlib_etc_backup/.
cp -rp /etc/authlib_etc_backup/* /etc/authlib/.
change bits to BITS=2048 and execute the script
sed -i 's|BITS=768|BITS=2048|g' /usr/lib/courier-imap/share/mkdhparams /usr/lib/courier-imap/share/mkdhparams
/etc/init.d/courier-imap restart /etc/init.d/courier-authlib restart
bind
cd /usr/local/src/rpm/openssl_upgrade rpm -Uhv bind-9.10.1-1.x86_64.rpm
chkconfig courier-authlib on
In der Datei /usr/local/nagios/libexec/check_bac_procs folgende Zeile einfügen
'couriertls -statusfd=7 -printx509=9 -localfd=5 -tcpd -server',
Testen (wenn Test von einem Hosting Produktiv-Server aus, muss der neue OpenSSL Client unter "/usr/local/ssl/bin" verwendet werden):
openssl s_client -showcerts -connect login-21.loginserver.ch:995
Sollte folgende Ausgabe ergeben:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2
Wichtig ist bei Protocol: TLSv1.2
- already patched servers
- CH
- tux25.hoststar.ch
- tux163.hoststar.ch
- tux247.hoststar.ch
- tux261.hoststar.ch
- tux281.hoststar.ch
- tux283.hoststar.ch
- tux285.hoststar.ch
- tux287.hoststar.ch
- tux289.hoststar.ch
- tux291.hoststar.ch
- tux293.hoststar.ch
- tux295.hoststar.ch
- tux297.hoststar.ch
- tux301.hoststar.ch
- tux303.hoststar.ch
- tux305.hoststar.ch
- tux307.hoststar.ch
- AT
- -done on all at server (09.09.2015)
- Reseller
- -done on all res server (09.09.2015)