HOWTO: Upgrading Open SSL

Looking over several host's servers in the past few nights has made me realize that almost no one has upgraded OpenSSL beyond 0.9.6b and I thought maybe a howto could help a few of those hosts escape being exploited because of it HOWTO: Upgrading Open SSL

------------------------------------------------------------

Title: Upgrading OpenSSL on Redhat Servers
Revision: 1.0.4
Date: June 28th, 2003
Time: 2:50am CST
Description: Guide for installing and upgrading OpenSSL services on a typical Redhat server to close the very common OpenSSL hole that is plaguing many servers today.
Difficulty: 6/10

------------------------------------------------------------

Disclaimer:
THIS HOWTO IS PROVIDED BY NULL-ROUTE DOT COM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NULL-ROUTE DOT COM. OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

------------------------------------------------------------

Introduction:
Many servers today even have a common hole that allows anyone local access to a server as the apache user. The main part of the exploit was found to be in mod_ssl 2.8.12 but many underlying faults lay in OpenSSL installation and libraries bellow version 0.9.6j. Upgrading mod_ssl to version 2.8.14 generally slows an intruder down but will not stop someone who is determined if they know about the older OpenSSL libaries.

This howto will explain how to properly remove older symlinks made by the Redhat installer and give details on the installation of a secure version of OpenSSL.

NOTE: This guide is for installing OpenSSL 0.9.6j. At the time of this writing I felt the 0.9.7x series was still to new for a production environment. But using 0.9.7x should work fine in all instances.

After upgrading the OpenSSL binary and libraries any other program that depends on them will also need to be recompiled to take advantage of the new libraries unless they were compiled with dynamic library support (most applications are compiled statically).

This howto assumes the reader has a general knowledge of Linux and the command line interface for installing applications and has root access to the server. Readers with minimal knowledge of Linux or the processes of compiling and installing software should not attempt this without proper supervision from a system administrator or in a production environment.

Pre-Installation:
Before beginning installation you should verify that your server is indeed open to this exploit because of an older OpenSSL installation. To verify at command line type:

Code: 
openssl version
It should return something like this:

Code: 
[root@grep root]# openssl version
OpenSSL 0.9.6b [engine] 9 Jul 2001
[root@grep root]#
If your version is bellow 0.9.6j. Then you are most likely open to these exploits and should continue on with this upgrade. If you show version 0.9.6j there is still a very good chance that you are open to this exploit and you must run another check to see if Apache has been compiled with an older version of OpenSSL.

To run this check visit this script: http://null-route.com/httpv.php
Note: This script is privately hosted by myself and will not log any server addresses you enter into it.

After running the second check you should get a result looking like this:


Server domain.com: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.6b PHP/4.3.2 mod_perl/1.27 FrontPage/5.0.2.2510


As you can see the server is running OpenSSL 0.9.6b and would be open to many exploits even though mod_ssl is running the latest version.

Installation and upgrading:
To begin installation we will need to download OpenSSL 0.9.6j source tar ball to the server we will be upgrading. I generally put all my source files in /usr/src to keep them for later incase I need them.

Code: 
# cd /usr/src
# wget http://www.openssl.org/source/openssl-0.9.6j.tar.gz
# tar -xvzf openssl-0.9.6j.tar.gz
# cd openssl-0.9.6j/
You should now be in /usr/src/openssl-0.9.6j/

We need to now remove all old symlinks to older version of OpenSSL before we begin.

Code: 
# rm /usr/lib/libssl.so.0
# rm /usr/lib/libssl.so
# rm /lib/libssl.so.2
# rm /lib/libcrypto.so.2
# rm /usr/lib/libcrypto.so.0
After removing all old symlinks to old versions of OpenSSL we can begin configuring and compiling the new version.
NOTE: On older systems this may take several hours. For a P4 2.4Ghz equiped with 1gb RAM it took me around 20 minutes to fully configure/compile/install OpenSSL. Your build times will vary depending on equipment and current load of the server.

We now begin by configuring our new installation of OpenSSL with shared libary support and threading support turned off to increase speed with mod_ssl.

Code: 
# ./config no-threads shared
After config has ran we will now make/compile our build of OpenSSL. We will use one command, make, but will run it 3 times with differnt operators. Run these commands in this order. These will take some time:

Code: 
# make
# make test
# make install
NOTE: make test requires BC math functions to be installed on your server to test the OpenSSL install.

After make install has been ran we will now export our libary path for OpenSSL:

Code: 
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
# ldconfig -v
We also need to recreate the symlink /lib/libssl.so.2 and /usr/lib/libcrypto.so.0 to our new OpenSSL libary.

Code: 
# ln -s /usr/lib/libssl.so.0.9.6 /lib/libssl.so.2
# ln -s /usr/lib/libcrypto.so.0.9.6 /usr/lib/libcrypto.so.0
# ln -s /usr/lib/libcrypto.so.0.9.6 /lib/libcrypto.so.2
At this point you are done upgrading OpenSSL but your system isn't secure. You will need to recompile the other applications that used the old OpenSSL libaries at build time to fully seucre your system. Applications such as OpenSSH and Apache+mod_ssl are the ones you will absolutely need to recompile.

NOTE: I will try to do a howto covering the upgrading of OpenSSH within a few days to aid in the proccess.

NOTE: If after buiding OpenSSL openssl version still reports an older version you will need to run make clean and add --prefix=/usr to the config command I used earlier..

Code: 
# ./config --prefix=/usr no-threads shared
# make
# make install
Closing:
If you have found any glaring typos, or outdated info in this document, please let me know.

 

 

 

 

Top