Warning: require() [function.require]: open_basedir restriction in effect. File(/usr/local/php-spez-5.2.17/lib/php/geshi/geshi.php) is not within the allowed path(s): (/usr/local/php/lib/php/:/home/www/:/usr/bin/:/tmp:/usr/local/php52/lib/php/) in /home/www/web25/html/syswiki/extensions/SyntaxHighlight_GeSHi/SyntaxHighlight_GeSHi.class.php on line 376
Openssl patch – HS Syswiki

Openssl patch

Aus HS Syswiki
Wechseln zu: Navigation, Suche


from bkp001, copy the rpm packages to the target server. 

scp -rp /root/openssl_upgrade tuxNN:/usr/local/src/rpm/.

unblock these folders 

chattr -i /usr/local/proftpd/bin /sbin /usr/sbin /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin /bin


Automated Procedure

You can use the script openssl_upgrade.sh that should do all the following steps: 

/usr/local/src/rpm/openssl_upgrade/upgrade.sh

The script writes a logfile to /var/tmp/openssl_upgrade.sh.log.

Manual Procedure

install the packages db43 and sqlite2 

zypper -n install db43 sqlite2

install customopenssl rpm 

cd /usr/local/src/rpm/openssl_upgrade
rpm -iHv customopenssl-1.0.1j-3.x86_64.rpm

backup old conf files from apache2 and the service 

MYDATE=$(date +%Y%m%d)
cp -rp /usr/local/apache2/conf /usr/local/apache_conf.$MYDATE
/etc/init.d/apache2 stop

install the following rpm for apache2 

rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-prefork-2.2.29-3.x86_64.rpm
rpm -Uhv *apr*

rpm -Uhv apache2-2.2.29-3.x86_64.rpm apache2-modsecurity-2.6.8-4.x86_64.rpm apache2-php-5.2.17-module.58.x86_64.rpm apache2-php52-gd-5.2.17-2.x86_64.rpm apache2-php52-spez-5.2.17-2.x86_64.rpm apache2-php53-5.3.29-2.x86_64.rpm apache2-php53-spez-5.3.29-2.x86_64.rpm apache2-php54-5.4.35-2.x86_64.rpm apache2-php54-spez-5.4.35-2.x86_64.rpm apache2-php55-5.5.19-2.x86_64.rpm apache2-php56-5.6.3-2.x86_64.rpm apache2-utils-2.2.29-3.x86_64.rpm apache2-worker-2.2.29-3.x86_64.rpm 

sed -i "s/HTTPD=.*/HTTPD\='\/usr\/local\/apache2-2.2.29\/sbin\/httpd2-prefork'/" /usr/local/apache2/sbin/apache2ctl
mv /usr/local/apache2/conf /usr/local/apache2/conf.orig 
cp -rp /usr/local/apache_conf.$MYDATE /usr/local/apache2/conf

comment the following lines in /usr/local/apache2/conf/httpd.conf 

#LoadModule ldap_module             lib64/apache2-prefork/mod_ldap.so
#LoadModule authnz_ldap_module      lib64/apache2-prefork/mod_authnz_ldap.so
rpm -Uhv apache2-mod_bw-0.7-2.x86_64.rpm apache2-confixx-suexec-1.0.8-25.x86_64.rpm

restart apache2 

/etc/init.d/apache2 restart

proftpd 

cd /usr/local/src/rpm/openssl_upgrade
rm -rf /usr/local/proftpd_etc_backup
cp -rp /usr/local/proftpd/etc /usr/local/proftpd_etc_backup
chown root.root /usr/local/proftpd_etc_backup
chmod 700 /usr/local/proftpd_etc_backup
rpm -UHv proftpd-1.3.5-2.x86_64.rpm
if test -h /usr/local/proftpd ; then rm /usr/local/proftpd ; fi
ln -s /usr/local/proftpd-1.3.5 /usr/local/proftpd
 
cp -rp /usr/local/proftpd_etc_backup/* /usr/local/proftpd/etc/.
sed -i "s/TLSProtocol.*/TLSProtocol TLSv1 TLSv1.1 TLSv1.2/g" /usr/local/proftpd/etc/proftpd.conf
chmod 440 /usr/local/proftpd/etc/virtualpasswd
/etc/init.d/proftpd restart

sasl 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uhv --nodeps cyrus-sasl-*
rpm -e --nodeps cyrus-sasl-32bit-2.1.22-82
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
/etc/init.d/saslauthd stop
/etc/init.d/saslauthd start

sendmail 

cd /usr/local/src/rpm/openssl_upgrade
cp -rp /etc/mail /etc/sendmail_mail_backup
chown root.root /etc/sendmail_mail_backup
chmod 700 /etc/sendmail_mail_backup
cp /usr/share/ssl/certs/* /usr/local/ssl/certs/.
rpm -Uhv sendmail-8.14.9-1.x86_64.rpm
cp -rp /etc/sendmail_mail_backup/* /etc/mail/.
cd /etc/mail
newaliases
rm *.db
make
sed -i "s/\/usr\/share\/ssl\/certs/\/usr\/local\/ssl\/certs/g" /etc/mail/sendmail.cf
/etc/init.d/sendmail stop
/etc/init.d/sendmail start

courier-authlib / courier-imap (evtl vorher email backup machen!!!) 

cd /usr/local/src/rpm/openssl_upgrade
ln -s /usr/local/sbin/courierlogger /usr/sbin/courierlogger
cp -rp /etc/courier-imap /etc/courier_imap_etc_backup
chown root.root /etc/courier_imap_etc_backup
chmod 700 /etc/courier_imap_etc_backup
cp -rp /etc/authlib /etc/authlib_etc_backup
chown root.root /etc/authlib_etc_backup
chmod 700 /etc/authlib_etc_backup
rpm -Uhv courier-authlib-0.66.1-13.x86_64.rpm courier-unicode-1.1-1.x86_64.rpm courier-authlib-userdb-0.66.1-13.x86_64.rpm courier-imap-4.15.1-1.suse1030.x86_64.rpm
sed -i "s/IMAP_TLS_REQUIRED=.*/IMAP_TLS_REQUIRED=0/g" /etc/courier-imap/imapd-ssl
sed -i "s/POP3_TLS_REQUIRED=.*/POP_TLS_REQUIRED=0/g" /etc/courier-imap/pop3d-ssl
 
sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/imapd-ssl
sed -i "s/TLS_PROTOCOL=.*/TLS_PROTOCOL=\"TLS1_2:TLS1_1:TLS1_0\"/g" /etc/courier-imap/pop3d-ssl
 
sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/imapd-ssl
sed -i "s/TLS_STARTTLS_PROTOCOL=.*/TLS_STARTTLS_PROTOCOL=TLS1_2/"g /etc/courier-imap/pop3d-ssl
cp /etc/rc.d/init.d/courier-authlib /etc/init.d/.
chmod 755 /etc/init.d/courier-authlib

cp -rp /etc/authlib_etc_backup/* /etc/authlib /etc/authlib_etc_backup/. 

cp -rp /etc/authlib_etc_backup/* /etc/authlib/.


change bits to BITS=2048 and execute the script 

sed -i 's|BITS=768|BITS=2048|g' /usr/lib/courier-imap/share/mkdhparams
/usr/lib/courier-imap/share/mkdhparams
/etc/init.d/courier-imap restart
/etc/init.d/courier-authlib restart

bind 

cd /usr/local/src/rpm/openssl_upgrade
rpm -Uhv bind-9.10.1-1.x86_64.rpm
chkconfig courier-authlib on

In der Datei /usr/local/nagios/libexec/check_bac_procs folgende Zeile einfügen 'couriertls -statusfd=7 -printx509=9 -localfd=5 -tcpd -server',

Testen (wenn Test von einem Hosting Produktiv-Server aus, muss der neue OpenSSL Client unter "/usr/local/ssl/bin" verwendet werden): 

openssl s_client -showcerts -connect login-21.loginserver.ch:995

Sollte folgende Ausgabe ergeben: 

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol  : TLSv1.2

Wichtig ist bei Protocol: TLSv1.2


already patched servers
CH
tux25.hoststar.ch
tux163.hoststar.ch
tux247.hoststar.ch
tux261.hoststar.ch
tux281.hoststar.ch
tux283.hoststar.ch
tux285.hoststar.ch
tux287.hoststar.ch
tux289.hoststar.ch
tux291.hoststar.ch
tux293.hoststar.ch
tux295.hoststar.ch
tux297.hoststar.ch
tux301.hoststar.ch
tux303.hoststar.ch
tux305.hoststar.ch
tux307.hoststar.ch
AT
tux17.hoststar.at
Reseller
-done on all res server (9.9.2015)
Von „http://syswiki.internet-license.net/index.php?title=Openssl_patch&oldid=493
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Navigation
Werkzeuge