Openssl patch
Inhaltsverzeichnis |
Status
- already patched servers
- CH
- tux1.hoststar.ch until tux111.hoststar.ch
- tux131.hoststar.ch (22.09.2015)
- tux163.hoststar.ch
- tux153.hoststar.ch
- tux155.hoststar.ch
- tux157.hoststar.ch
- tux167.hoststar.ch (01.10.2015)
- tux193.hoststar.ch
- tux195.hoststar.ch
- tux197.hoststar.ch
- tux247.hoststar.ch
- tux261.hoststar.ch
- tux267.hoststar.ch (19.09.2015)
- tux269.hoststar.ch (19.09.2015)
- tux271.hoststar.ch (19.09.2015)
- tux273.hoststar.ch (19.09.2015)
- tux275.hoststar.ch (18.09.2015)
- tux277.hoststar.ch (18.09.2015)
- tux281.hoststar.ch
- tux283.hoststar.ch
- tux285.hoststar.ch
- tux287.hoststar.ch
- tux289.hoststar.ch
- tux291.hoststar.ch
- tux293.hoststar.ch
- tux295.hoststar.ch
- tux297.hoststar.ch
- tux301.hoststar.ch
- tux303.hoststar.ch
- tux305.hoststar.ch
- tux307.hoststar.ch
- AT
- -done on all at server (09.09.2015)
- Reseller
- -done on all res server (09.09.2015)
Known issues
- courier problem with gid
- only on tux11, tux17 and tux37, group id for poponly is wrong (502 instead of 102)
- popauth.db error messages
courier-authlib not starting at bootphp.ini settings php module missingphp.ini settings php53spez missingphp.ini settings php54spez missingphp56 ioncube, imagick missingphp54spez mysqli not working
Prerequirements
from bkp001, copy the rpm packages to the target server.
bash /root/tch/openssl_update/deploy tuxXX
or copy to multiple servers
bash /root/tch/openssl_update/deploy tuxXX tuxXY tuxYY
unblock these folders
chattr -i /usr/local/proftpd/bin /sbin /usr/sbin /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin /bin
or with the command
hsbinunlock
Automated Procedure
You can use the script openssl_upgrade.sh that should do all the following steps:
/usr/local/src/rpm/openssl_upgrade/upgrade.sh
The script writes a logfile to /var/tmp/openssl_upgrade.sh.log.
Manual Procedure (INCOMPLETE)
install the packages db43 and sqlite2
zypper -n install db43 sqlite2
install customopenssl rpm
cd /usr/local/src/rpm/openssl_upgrade rpm -iHv customopenssl-1.0.1j-3.x86_64.rpm
backup old conf files from apache2 and the service
MYDATE=$(date +%Y%m%d) cp -rp /usr/local/apache2/conf /usr/local/apache_conf.$MYDATE /etc/init.d/apache2 stop
install the following rpm for apache2
rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-prefork-2.2.29-3.x86_64.rpm rpm -Uhv *apr*
rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-worker-2.2.29-3.x86_64.rpm
sed -i "s/HTTPD=.*/HTTPD\='\/usr\/local\/apache2-2.2.29\/sbin\/httpd2-prefork'/" /usr/local/apache2/sbin/apache2ctl mv /usr/local/apache2/conf /usr/local/apache2/conf.orig cp -rp /usr/local/apache_conf.$MYDATE /usr/local/apache2/conf
comment the following lines in /usr/local/apache2/conf/httpd.conf
#LoadModule ldap_module lib64/apache2-prefork/mod_ldap.so #LoadModule authnz_ldap_module lib64/apache2-prefork/mod_authnz_ldap.so
rpm -Uhv apache2-mod_bw-0.7-2.x86_64.rpm apache2-confixx-suexec-1.0.8-25.x86_64.rpm
restart apache2
/etc/init.d/apache2 restart
proftpd
cd /usr/local/src/rpm/openssl_upgrade rm -rf /usr/local/proftpd_etc_backup cp -rp /usr/local/proftpd/etc /usr/local/proftpd_etc_backup chown root.root /usr/local/proftpd_etc_backup chmod 700 /usr/local/proftpd_etc_backup
rpm -UHv proftpd-1.3.5-2.x86_64.rpm
if test -h /usr/local/proftpd ; then rm /usr/local/proftpd ; fi ln -s /usr/local/proftpd-1.3.5 /usr/local/proftpd cp -rp /usr/local/proftpd_etc_backup/* /usr/local/proftpd/etc/. sed -i "s/TLSProtocol.*/TLSProtocol TLSv1 TLSv1.1 TLSv1.2/g" /usr/local/proftpd/etc/proftpd.conf chmod 440 /usr/local/proftpd/etc/virtualpasswd
/etc/init.d/proftpd restart
sasl
cd /usr/local/src/rpm/openssl_upgrade rpm -Uhv --nodeps cyrus-sasl-*
rpm -e --nodeps cyrus-sasl-32bit-2.1.22-82
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
/etc/init.d/saslauthd stop /etc/init.d/saslauthd start
sendmail
cd /usr/local/src/rpm/openssl_upgrade cp -rp /etc/mail /etc/sendmail_mail_backup chown root.root /etc/sendmail_mail_backup chmod 700 /etc/sendmail_mail_backup cp /usr/share/ssl/certs/* /usr/local/ssl/certs/.
rpm -Uhv sendmail-8.14.9-1.x86_64.rpm
cp -rp /etc/sendmail_mail_backup/* /etc/mail/.
cd /etc/mail newaliases rm *.db make
sed -i "s/\/usr\/share\/ssl\/certs/\/usr\/local\/ssl\/certs/g" /etc/mail/sendmail.cf
/etc/init.d/sendmail stop /etc/init.d/sendmail start
courier-authlib / courier-imap (evtl vorher email backup machen!!!)
cd /usr/local/src/rpm/openssl_upgrade ln -s /usr/local/sbin/courierlogger /usr/sbin/courierlogger cp -rp /etc/courier-imap /etc/courier_imap_etc_backup chown root.root /etc/courier_imap_etc_backup chmod 700 /etc/courier_imap_etc_backup
cp -rp /etc/authlib /etc/authlib_etc_backup chown root.root /etc/authlib_etc_backup chmod 700 /etc/authlib_etc_backup
rpm -Uhv courier-authlib-0.66.1-13.x86_64.rpm courier-unicode-1.1-1.x86_64.rpm courier-authlib-userdb-0.66.1-13.x86_64.rpm courier-imap-4.15.1-1.suse1030.x86_64.rpm
sed -i "s/IMAP_TLS_REQUIRED=.*/IMAP_TLS_REQUIRED=0/g" /etc/courier-imap/imapd-ssl sed -i "s/POP3_TLS_REQUIRED=.*/POP_TLS_REQUIRED=0/g" /etc/courier-imap/pop3d-ssl sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/imapd-ssl sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/pop3d-ssl sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/imapd-ssl sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/pop3d-ssl
cp /etc/rc.d/init.d/courier-authlib /etc/init.d/. chmod 755 /etc/init.d/courier-authlib
cp -rp /etc/authlib_etc_backup/* /etc/authlib /etc/authlib_etc_backup/.
cp -rp /etc/authlib_etc_backup/* /etc/authlib/.
change bits to BITS=2048 and execute the script
sed -i 's|BITS=768|BITS=2048|g' /usr/lib/courier-imap/share/mkdhparams /usr/lib/courier-imap/share/mkdhparams
/etc/init.d/courier-imap restart /etc/init.d/courier-authlib restart
bind
cd /usr/local/src/rpm/openssl_upgrade rpm -Uhv bind-9.10.1-1.x86_64.rpm
chkconfig courier-authlib on
curl
cd /usr/local/src/rpm/openssl_upgrade rpm -Uvh libcurl4-7.44.0-1.1.x86_64.rpm curl-7.44.0-1.1.x86_64.rpm curl-ca-bundle-7.44.0-1.1.x86_64.rpm
In der Datei /usr/local/nagios/libexec/check_bac_procs folgende Zeile einfügen
'couriertls -statusfd=7 -printx509=9 -localfd=5 -tcpd -server',
Testen (wenn Test von einem Hosting Produktiv-Server aus, muss der neue OpenSSL Client unter "/usr/local/ssl/bin" verwendet werden):
openssl s_client -showcerts -connect login-21.loginserver.ch:995
Sollte folgende Ausgabe ergeben:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2
Wichtig ist bei Protocol: TLSv1.2