Tuesday, January 20, 2015

No more poodles!

I love dogs, I really do. However I'm going to say it again - no more poodles! stop this heartbleading beast who bites our good old systems. This post isn't about Oracle, but it close enough to be here.

Lets's discuss a quite inexpensive way to enforce the latest greatest  security protocols and standards for old systems.






I’m going to show you how to increase security of your system. To achieve our goals you should complete the follow:

  •  Prepare system for installation
  •  Install and configure 3rd party applications 
  •  Install and configure OpenSSL 1.0
  •  Install and configure Apache 2.4

Start point. 

To reproduce old system I’m going to use VirtualBox with trial RedHat  AS 4.8 and Oracle XE to simulate business application on it. Operating system architecture is 32 bit and there are no upgrades updates or patches.

Business application resides on the system and should be exposed to the external user with maximum protection available. Normally it uses Oracle HTTP Server 10g and uses Oracle Wallet to accept HTTPS requests. 

To simplify this document I’m going to omit all certificate configuration details and will use my own CA and prepared certificates.  There are plenty number posts around openssl and certificate requests.

Apache server from RedHat 4.8 has version 2.0б that you have SSLv2, SSLv 3 and TLSv1.0 protocols only. Frankly speaking it may be enough for your tasks and you may skip everything down to reverse proxy  configuration. However TLSv1.0 is almost the same as SSL v3.0 and may be compromised as well. 

I consider no compromises and chase perfection:  no weak chippers, no heartbleeds and no poodles!

Prepare operating system

As soon as we are going to install software from sources we need to install development packages, 
libraries and compilers. Mount file system with your RedHat installation or in my case – insert DVD 
image into virtual DVD device.

Important notice: All commands execute as root user or through sudo rights 

Install packages as below (assume that resource mounted as /media/cdrom):

# rpm -Uvh /media/cdrom/RedHat/RPMS/kernel-devel-2.6.9-67.EL.i686.rpm
# rpm -Uvh /media/cdrom/RedHat/RPMS/gcc-3.4.6-9.i386.rpm \ 
/media/cdrom/RedHat/RPMS/glibc-devel-2.3.4-2.39.i386.rpm \ 
/media/cdrom/RedHat/RPMS/glibc-kernheaders-2.4-9.1.100.EL.i386.rpm \ 
/media/cdrom/RedHat/RPMS/glibc-headers-2.3.4-2.39.i386.rpm
# rpm -Uvh /media/cdrom/RedHat/RPMS/gcc-c++-3.4.6-9.i386.rpm \
/media/cdrom/RedHat/RPMS/libstdc++-devel-3.4.6-9.i386.rpm

Open SSL 

As part of overall security increase you need to upgrade existing OpenSSL installation. 
# wget http://www.openssl.org/source/openssl-1.0.1k.tar.gz
--18:13:35--  http://www.openssl.org/source/openssl-1.0.1k.tar.gz
           => `openssl-1.0.1k.tar.gz'
Resolving www.openssl.org... 185.9.166.106
Connecting to www.openssl.org|185.9.166.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,434,910 (4.2M) [application/x-gzip]
100%[================================================,434,910    704.70K/s    
ETA 00:00
18:13:44 (508.59 KB/s) - `openssl-1.0.1k.tar.gz' saved [4434910/4434910]

Check MD5 sum of download. Correct value is d4f002bd22a56881340105028842ae1f

# md5sum openssl-1.0.1k.tar.gz

d4f002bd22a56881340105028842ae1f  openssl-1.0.1k.tar.gz

Unpack archive and go to OpenSSL sources

# tar zxf openssl-1.0.1k.tar.gz
# cd openssl-1.0.1k

Configure installation with default directories:

# ./config --prefix=/usr/local --openssldir=/usr/local/openssl
………………………………………
[1]: Entering directory `/root/openssl-1.0.1k/apps'
make[1]: Nothing to be done for `generate'.
make[1]: Leaving directory `/root/openssl-1.0.1k/test'
Configured for linux-elf.
#

There is should be no error messages yet. Compile libraries (check for errors ):

# make
……………………………
make[2]: Leaving directory `/root/openssl-1.0.1k/test'
make[1]: Leaving directory `/root/openssl-1.0.1k/test'
making all in tools...
make[1]: Entering directory `/root/openssl-1.0.1k/tools'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/root/openssl-1.0.1k/tools'
#

If binaries were compiled with no errors install them:

# make install
.......................................
make[1]: Entering directory `/root/openssl-1.0.1k/test'
make[1]: Nothing to be done for `install'.
make[1]: Leaving directory `/root/openssl-1.0.1k/test'
making install in tools...
make[1]: Entering directory `/root/openssl-1.0.1k/tools'
make[1]: Leaving directory `/root/openssl-1.0.1k/tools'
installing libcrypto.a
installing libssl.a
cp libcrypto.pc /usr/local/lib/pkgconfig
chmod 644 /usr/local/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/lib/pkgconfig
chmod 644 /usr/local/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/lib/pkgconfig
chmod 644 /usr/local/lib/pkgconfig/openssl.pc
#cd ~/

Validate installation 

# openssl version
OpenSSL 1.0.1k 8 Jan 2015

Install PCRE libraries

Apache HTTP server requires Perl Compatible Regular Expressions.

Get binaries

# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.gz
--19:35:56--  ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.gz
           => `pcre-8.36.tar.gz'
Resolving ftp.csx.cam.ac.uk... 131.111.8.115
Connecting to ftp.csx.cam.ac.uk|131.111.8.115|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/software/programming/pcre ... done.
==> PASV ... done.    ==> RETR pcre-8.36.tar.gz ... done.
Length: 2,009,464 (1.9M) (unauthoritative)
100%[=======================================>] 2,009,464    482.35K/s    ETA 00:00
19:36:03 (418.19 KB/s) - `pcre-8.36.tar.gz' saved [2009464]

Extract archive

# tar zxf pcre-8.36.tar.gz
# cd pcre-8.36

Configure and install libraries

#./configure
……………………………
pcre-8.36 configuration summary:
    Install prefix .................. : /usr/local
    C preprocessor .................. : gcc -E
    C compiler ...................... : gcc
    Use JIT in pcregrep ............. : no
    Buffer size for pcregrep ........ : 20480
    Link pcregrep with libz ......... : no
    Link pcregrep with libbz2 ....... : no
    Link pcretest with libedit ...... : no
    Link pcretest with libreadline .. : no
    Valgrind support ................ : no
    Code coverage ................... : no

# make
……………………
  CXX      pcre_scanner_unittest-pcre_scanner_unittest.o
  CXXLD    pcre_scanner_unittest
  CXX      pcre_stringpiece_unittest-pcre_stringpiece_unittest.o
  CXXLD    pcre_stringpiece_unittest
make[1]: Leaving directory `/root/pcre-8.36'

# make install
…………………….
CCLD     pcregrep
  CXX      pcrecpp_unittest-pcrecpp_unittest.o
  CXXLD    pcrecpp_unittest
  CXX      pcre_scanner_unittest-pcre_scanner_unittest.o
  CXXLD    pcre_scanner_unittest
  CXX      pcre_stringpiece_unittest-pcre_stringpiece_unittest.o
  CXXLD    pcre_stringpiece_unittest
make[1]: Leaving directory `/root/pcre-8.36'

#cd ~/

Install Apache HTTP server binaries


Download latest stable version (at this time It’s 2.4.10 so adjust document accordingly with your current version).

# wget http://apache.mirrors.tds.net//httpd/httpd-2.4.10.tar.gz
--19:15:51--  http://apache.mirrors.tds.net//httpd/httpd-2.4.10.tar.gz
           => `httpd-2.4.10.tar.gz'
Resolving apache.mirrors.tds.net... 216.165.129.134
Connecting to apache.mirrors.tds.net|216.165.129.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6,820,719 (6.5M) [application/x-gzip]
100%[========================================>] 6,820,719      1.73M/s    ETA 00:00
19:15:56 (1.41 MB/s) - `httpd-2.4.10.tar.gz' saved [6820719/6820719]
#

Check MD5 value. Correct one is 9b5f9342f73a6b1ad4e8c4b0f3f5a159

# md5sum httpd-2.4.10.tar.gz

9b5f9342f73a6b1ad4e8c4b0f3f5a159  httpd-2.4.10.tar.gz

Download latest APR and APR-Util sources

- APR MD5 is d3538d67e6455f48cc935d8f0a50a1c3

# wget http://mirror.metrocast.net/apache//apr/apr-1.5.1.tar.gz
--19:24:08--  http://mirror.metrocast.net/apache//apr/apr-1.5.1.tar.gz
           => `apr-1.5.1.tar.gz'
Resolving mirror.metrocast.net... 65.175.128.102, 2606:f400:400:0:65:175:128:102
Connecting to mirror.metrocast.net|65.175.128.102|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,020,833 (997K) [application/x-gzip]
100%[===============================================>] 1,020,833    806.48K/s
19:24:10 (804.12 KB/s) - `apr-1.5.1.tar.gz' saved [1020833/1020833]

# md5sum apr-1.5.1.tar.gz
d3538d67e6455f48cc935d8f0a50a1c3  apr-1.5.1.tar.gz

APR-Util MD5 is  866825c04da827c6e5f53daff5569f42

# wget http://mirror.metrocast.net/apache//apr/apr-1.5.1.tar.gz
--19:24:08--  http://mirror.metrocast.net/apache//apr/apr-1.5.1.tar.gz
           => `apr-1.5.1.tar.gz'
Resolving mirror.metrocast.net... 65.175.128.102, 2606:f400:400:0:65:175:128:102
Connecting to mirror.metrocast.net|65.175.128.102|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,020,833 (997K) [application/x-gzip]
100%[=====================================================>] 1,020,833    806.48K/s

19:24:10 (804.12 KB/s) - `apr-1.5.1.tar.gz' saved [1020833/1020833]
[root@rhas48 ~]# md5sum apr-1.5.1.tar.gz
d3538d67e6455f48cc935d8f0a50a1c3  apr-1.5.1.tar.gz

Extract and prepare sources

# tar zxf httpd-2.4.10.tar.gz
# tar zxf apr-1.5.1.tar.gz
# tar zxf apr-util-1.5.4.tar.gz
# mv apr-1.5.1 httpd-2.4.10/srclib/apr
# mv apr-util-1.5.4 httpd-2.4.10/srclib/apr-util
# cd httpd-2.4.10

Configure installation

#./configure –prefix=/usr/local/apache2 –enable-ssl
………………………
config.status: creating support/log_server_status
config.status: creating support/logresolve.pl
config.status: creating support/phf_abuse_log.cgi
config.status: creating support/split-logfile
config.status: creating build/rules.mk
config.status: creating build/pkg/pkginfo
config.status: creating build/config_vars.sh
config.status: creating include/ap_config_auto.h
config.status: executing default commands
#

Make binaries

# make
……………………………………………
/root/httpd-2.4.10/srclib/apr/libtool --silent --mode=link gcc -std=gnu99  -g -O2 -pthread -o mod_rewrite.la -rpath /usr/local/apache2/modules -module -avoid-version  mod_rewrite.lo
make[4]: Leaving directory `/root/httpd-2.4.10/modules/mappers'
make[3]: Leaving directory `/root/httpd-2.4.10/modules/mappers'
make[2]: Leaving directory `/root/httpd-2.4.10/modules'
make[2]: Entering directory `/root/httpd-2.4.10/support'
make[2]: Leaving directory `/root/httpd-2.4.10/support'
make[1]: Leaving directory `/root/httpd-2.4.10'
#

Install new server binaries

#make install
…………………………
mkdir /usr/local/apache2/conf
mkdir /usr/local/apache2/conf/extra
mkdir /usr/local/apache2/conf/original
mkdir /usr/local/apache2/conf/original/extra
Installing HTML documents
mkdir /usr/local/apache2/htdocs
Installing error documents
mkdir /usr/local/apache2/error
Installing icons
mkdir /usr/local/apache2/icons
mkdir /usr/local/apache2/logs
Installing CGIs
mkdir /usr/local/apache2/cgi-bin
Installing header files
Installing build system files
Installing man pages and online manual
mkdir /usr/local/apache2/man
mkdir /usr/local/apache2/man/man1
mkdir /usr/local/apache2/man/man8
mkdir /usr/local/apache2/manual
make[1]: Leaving directory `/root/httpd-2.4.10'
#

All binaries are in place and we are ready to complete system configuration.

Here is System and Apache configuration.

No comments: