openssl with version information under sles11sp1

If you getting errors like this one

$ /path/to/program
/usr/lib/libcrypto.so.0.9.8: no version information available

you need a libcrypto.so and a libssl.so with version information.

Here are some information about the problem.

openssl has evolved to a very important library in Linux distribution. A
lot of cryptographic applications link to it including system libraries
like pam modules and apache modules. Now it becomes more and more
difficult to get all the binaries and libraries to link to the same
version of openssl. This leads to situations where an application uses
some libraries where on links to openssl 0.9.7 and another one to
version 0.9.8. Since the symbols of the libraries are not yet versioned
this leads to severe segfaults.

Install source package from the repository

$ zypper in -t srcpackages openssl

Create patches
/usr/src/packages/SOURCES/openssl-version-patch.patch

diff -Naur openssl-0.9.8h/Configure openssl-0.9.8h-new/Configure
--- openssl-0.9.8h/Configure	2008-05-02 01:11:30.000000000 +0200
+++ openssl-0.9.8h-new/Configure	2011-02-22 15:30:05.000000000 +0100
@@ -1327,6 +1327,8 @@
 	$shlib_minor=$2;
 	}

+$shared_ldflag .= " -Wl,--version-script=openssl.ld";
+
 open(IN,'$Makefile.new") || die "unable to create $Makefile.new:$!\n";
diff -Naur openssl-0.9.8h/engines/openssl.ld openssl-0.9.8h-new/engines/openssl.ld
--- openssl-0.9.8h/engines/openssl.ld	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8h-new/engines/openssl.ld	2011-02-22 15:31:41.000000000 +0100
@@ -0,0 +1,4 @@
+OPENSSL_0.9.8 {
+    global:
+       *;
+};
diff -Naur openssl-0.9.8h/Makefile openssl-0.9.8h-new/Makefile
--- openssl-0.9.8h/Makefile	2008-05-28 10:48:27.000000000 +0200
+++ openssl-0.9.8h-new/Makefile	2011-02-22 15:30:59.000000000 +0100
@@ -140,9 +140,9 @@
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
+SHARED_LIBS=$(SHARED_FIPS) $(SHARED_CRYPTO) $(SHARED_SSL)
+SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
+SHARED_LDFLAGS=-m64 -Wl,--version-script=openssl.ld

 GENERAL=        Makefile
 BASENAME=       openssl
diff -Naur openssl-0.9.8h/openssl.ld openssl-0.9.8h-new/openssl.ld
--- openssl-0.9.8h/openssl.ld	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8h-new/openssl.ld	2011-02-22 15:31:48.000000000 +0100
@@ -0,0 +1,4 @@
+OPENSSL_0.9.8 {
+    global:
+       *;
+};

/usr/src/packages/SPECS/openssl.spec.patch

--- openssl.spec	2011-02-22 17:00:26.000000000 +0100
+++ openssl-new.spec	2011-02-22 16:59:58.000000000 +0100
@@ -32,7 +32,7 @@
 %endif
 #
 Version:        0.9.8h
-Release:        30.30.1
+Release:        30.30.1.custom
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -67,6 +67,7 @@
 Patch26:        bug608666.patch
 Patch27:        CVE-2010-3864.patch
 Patch28:        CVE-2010-4180.patch
+Patch29:	openssl-version-patch.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@@ -222,6 +223,7 @@
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
+%patch29 -p1
 cp -p %{S:10} .
 # lib64 installation fixes
 for i in Makefile.org engines/Makefile; do
@@ -433,6 +435,8 @@
 %{_bindir}/%{name}

 %changelog
+* Tue Feb 22 2011 rmichel@devnu11.net
+- added for rsa usage the version information.
 * Tue Dec  7 2010 gjhe@novell.com
 - fix bug [bnc#657663]
   CVE-2010-4180

Patch the spec file

$ cd /usr/src/packages/SPEC/
$ patch -i openssl.spec.patch
patching file openssl.spec

Build the new rpm packages

$ rpmbuild -bb /usr/src/packages/SPECS/openssl.spec

Create a shared disk for VMware ESX guests

To create a shared disk between two or more VMs, login into one of your ESX hosts and create a disk image.

cd /vmfs/volumes/#volume-name#/#vm-name#/;
vmkfstools -d thick -a lsilogic -c 50G shareddisk.vmdk;

Add the new hardrive to the guest(s) and select a new SCSI bus (like SCSI 2:0). VMware create a new SCSI controller. Set SCSI Bus Sharing = Physical or Virtual and have fun 🙂

Apache Tomcat & logrotate

Some linux distribution are shiped without a config for the catalina.out (Tomcat application server) 😉

$ cat /etc/logrotate.d/tomcat
/var/log/tomcat/base/catalina.out {
	compress
	copytruncate
	create 644 tomcat tomcat
	rotate 30
	size 4M
}

The catalina.out will be rotated after 4 mb and stored for 30 days (/var/log/tomcat/base/catalina.out.1; /var/log/tomcat/base/catalina.out.2.gz and so on)

Linux routing basics

You getting from your ISP a subnet like this 172.30.26.16/28,
and your router has the ip 172.30.26.17 !

You need to enable the ip forwarding in the kernel

sysctl -w net.ipv4.ip_forward=1

And we need to enable proxy arp! This is necessary because your router must answer all arp request for hosts other than itself 😉

sysctl -w net.ipv4.conf.eth0.proxy_arp=1
sysctl -w net.ipv4.conf.eth1.proxy_arp=1

Edit your /etc/sysctl.conf !

net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth1.proxy_arp = 1

If your router has no external ip on the internal nic, you need to setup routes like

route add -host 172.30.26.20 gw 192.168.10.20 eth1

Ubuntu PHP hardening with Suhosin

Ubuntu includes the php suhosin patches….

Install suhosin extension

aptitude install php5-suhosin

/etc/php5/{apache2,cli,cgi}/php.ini

; suhosin parameters
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On
suhosin.mail.protect = 2
suhosin.sql.bailout_on_error = On

Restart apache

service apache2 restart

Sometimes it could be necessary to set suhosin.session.encrypt to off for some login scripts.

Postfix as relayhost with SASL auth

Client configuration (notebook, workstation what ever)

  1. Edit your /etc/postfix/main.cf
  2. # TLS client parameter
    smtp_use_tls = yes
    smtp_enforce_tls = yes
    # for postfix < 2.3
    # smtp_tls_security_level = secure
    smtp_sasl_tls_security_options = $smtp_sasl_security_options
    smtp_tls_CAfile = /etc/ssl/certs/cacert.org.pem
    smtp_tls_loglevel = 0
    [...]
    relayhost = [mx1.example.com]:587
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    inet_interfaces = loopback-only
    [...]
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwords
    smtp_sasl_security_options = noanonymous
    

    Setting [ and ] prevent the client from looking up the MX record for the domain. The port 587 is reserved for email clients. Some ISPs block port 25 😉

  3. Create your passwordmap – /etc/postfix/sasl_passwords
  4. [mx1.example.net]:587 username:password
  5. Run postmap for /etc/postfix/sasl_passwords
  6. postmap /etc/postfix/sasl_passwords; rm /etc/postfix/sasl_passwords

Server configuration

  1. Nothing if you have already a working mail server. That the user (/etc/postfix/sasl_passwords) must exists on the server is plausible ? Check your smtpd_*_restrictions on the mail server if the client won’t use sasl 🙂