OPTIMIZE & INSTALL OPENSSL

Posted on November 14, 2012 by | 3 Comments

In the early 90s most of the inter-network communications done by Internet protocols such as IMAP, SMTP, HTTP, FTP, LDAP, SNMP and POP was unencrypted. This basically means that even though applications using those protocols used similar authentication methodologies as today (requiring valid UserIDs & Passwords), those critical credential info used to be sent unencrypted over the network. In other words, UserIDs & Passwords used to be sent in plain text format over the network from one system to another.

Since this made it very easy for intruders (bad guys) to crack supposedly secured systems by simply sniffing the network for potential credentials to use, Netscape came up with SSL (Secure Socket Layer v1 & v2, a cryptographic protocol that provides communication security over the Internet Protocol) back in February of 1995. Eventually this solution has evolved into TLS (Transport Layer Security).

OpenSSL is a robust, commercial-grade, fully featured encryption software that implements SSL v2/v3 and TLS v1 protocols. It is developed and maintained by OpenSSL Project and it is widely used by open source communities and even by some commercial systems. If you’re a Linux user of any capacity (either a simple user or a System Admin) you are most likely familiar with OpenSSL, so continue reading.

Without any shadow of doubts, OpenSSL offers a robust implementation of SSL/TSL encryption mechanism that ensures safe/secure data transaction over the Internet Protocols. However, just like any other computer program, it is not immune of flaws because programmers are humans and humans make mistakes.

Back in May 10th 2012, OpenSSL Project released new version of the software (openssl-1.0.1c), which is essentially a fixed for a flaw in the OpenSSL source code discovered by Condenomicon. This vulnerability can be exploited by denial of service attacks on either client or server side.

The good news is that this is not a kind of vulnerability that just anybody can take advantage of to crack a system. Besides, Stephen Henson of OpenSSL Core Developer Team has already developed a fixed for the issue which was released on May 10th of this year.

The bad news is that a vulnerability is always a vulnerability. Meaning that, various hacking communities tend to write codes that automatically exploits known vulnerabilities and place them in the available hacking-toolkits. Once that is done, anybody who is computer literate can use that toolkit to exploit a system that still has those vulnerabilities. Therefore, I highly recommend upgrading your OpenSSL on your systems.

In an effort to help addressing this issue, I am going to share the steps that I have taken to patch my systems. This solution is not a quick one click solution: so if you’re in for this ride, please, fasten your seat-belts and enjoy the ride.

 

Here we go again:

Step 1) As the root user, move into ‘/var/tmp’, download the latest OpenSSL source code and save it.

[root@jcweb ~]# cd /var/tmp
[root@jcweb tmp]# wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz

Note:I did not include the step I took to validate the authenticity of the source-code I downloaded, so don’t forget to do that.
 
Step 2) Uncompress OpenSSL & move into the newly uncompressed directory
[root@jcweb tmp]# tar xzpf openssl-1.0.1c.tar.gz
[root@jcweb tmp]# cd openssl-1.0.1c
Note: One of the main advantages of compiling/building and installing a package from source-code is being able to optimize it for the hardware being used. Thus, let’s take some critical steps on that direction by changing the Configure file of OpenSSL to attain the desired optimization once compiled.
 
Step 3.a) Edit the Configure file changing line#192: (by substituting the entire line as following)
# Before:
"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# After:
"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -O3 -march=core2 -fomit-frame-pointer -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
[root@jcweb openssl-1.0.1c]# vi +192 Configure

Step 3.b) Also edit the Configure file changing line#193 (by substituting the entire line as following)

# Before:
"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# After:
"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -O3 -march=core2 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
[root@jcweb openssl-1.0.1c]# vi +193 Configure

Step 3.c) Edit the Configure file changing line# 353: (by substituiting the entire line as following)

# Before:
"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# After:
"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -march=core2 -funroll-loops -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
[root@jcweb openssl-1.0.1c]# vi +353 Configure

Step 4) OpenSSL normally assume that “perl” binary file is located in ‘/usr/local/bin/’. Thus, we need to find the location where perl binary is and fix this assumsion before compiling. The following commands will find “perl” binary & correct the assumptions consecutively.
[root@jcweb openssl-1.0.1c]# which perl
/usr/bin/perl
[root@jcweb openssl-1.0.1c]# perl util/perlpath.pl /usr/bin/perl
[root@jcweb openssl-1.0.1c]#

Step 5) Since my system already has multiple OpenSSL packages installed by default, I need to get ready of them before installing the new one. Launching ‘rpm -qi openssl’ command tells all I needed to know about the multiple OpenSSL that were running on my system: Then, I tried unstinalling them as following without success:
[root@jcweb openssl-1.0.1c]# rpm -e openssl
error: "openssl" specifies multiple packages
[root@jcweb openssl-1.0.1c]#

Step 5.1) To successfully uninstall multiple OpenSSL packages with the same exact name, I decided to first get the exact package name. Then, use ‘nodeps & allmathces’ switches to remove all the maching packages.
Note: This step will definitely erase the OpenSSL installation currently running in your system. If you successfully take them, we need to make sure that you not only follow this tutorial to the end, but also configure the newly installed OpenSSL, so that your applications can use it. If you don’t do the post installation setup, not application will be able to use OpenSSL. This means that, you won’t be able to even ssh into your the system.
[root@jcweb openssl-1.0.1c]# rpm -qa |grep openssl
openssl-0.9.8e-22.el5
openssl-0.9.8e-22.el5
[root@jcweb openssl-1.0.1c]#
[root@jcweb openssl-1.0.1c]# rpm --nodeps --allmatches -ef openssl-0.9.8e-22.el5
[root@jcweb openssl-1.0.1c]#

Step 5) Now we’re ready to configure and build the new version of OpenSSL package. Lauch the following command to configure it.
[root@jcweb openssl-1.0.1c]# ./Configure linux-elf no-asm shared --prefix=/usr --openssldir=/usr/share/openssl enable-tlsext shared

Step 6) Once the configuration is done, build the package using the following 2 commands without installing it yet; And then, install.
[root@jcweb openssl-1.0.1c]# LD_LIBRARY_PATH=`pwd` make all build-shared
[root@jcweb openssl-1.0.1c]# LD_LIBRARY_PATH=`pwd` make test apps tests

Step 6.a) Prior to installing, you need to make a list of all the files in the system. This is essentially necessary because when a package is installed from source-code, it’s virtually impossible to manage it via rpm utility because its records are not in rpm’s database: Meaning that, if you ever desire to update or upgrade this installation of OpenSSL, you won’t be able to ‘rpm -Uvh’ command. However, you will have to use this list of files to craftily apply my updates. It’s actually quite simple, so don’t worry just keep reading.

In essence, you generate a list of all the files in the system just before installing a package and save it on a file. Right after installation of the package, generate another list of all the files in the system and save it in another file. Then, use ‘diff’ utility to get the difference of two lists and save this difference in a final file. This last file will contains all the substance installed by the package you just installed. And wollah! This is the final list that you may eventually use in the future to know what needs to be removed or added when a new version of the package is released.
[root@jcweb openssl-1.0.1c]# cd
[root@jcweb ~]# find /* >OpenSSL.befr
[root@jcweb ~]# cd -
[root@jcweb openssl-1.0.1c]#

Step 6.b) Now we may finally install the new OpenSSL version.
[root@jcweb openssl-1.0.1c]# make install build-shared
Step 6.c) Check on the newly installed OpenSSL
[root@jcweb openssl-1.0.1c]# openssl version
OpenSSL 1.0.1c 10 May 2012
[root@jcweb openssl-1.0.1c]#

Step 6.d) Generate the second list of all files in your system.
[root@jcweb openssl-1.0.1c]# find /* >~/OpenSSL.aftr

Step 6.e) Geg the final list of only installed files by generating the difference of the previous two lists. This is the list that you need to keep for eventual updating/upgrading needs.
[root@jcweb ~]# cd; diff OpenSSL.befr OpenSSL.aftr >OpenSSL-Installed

Well, that is it! The OpenSSL is officially installed, so give yourself a pad on the back for having the courage and adrenaline of taking this roller-coaster ride with me. AS you can see, it wasn’t so bad! Any way, take a break, grab a cup of coffee of or a snack. Once you’re back, do me a good favor. Seat down and configure your newly installed OpenSSL, so that all the applications that needs it may be able to use it. Since this article ends here, you won’t have my company in doing that part unless you can wait until I publish that next article in the topic. HAVE FUN & PRAISE JESUS CHRIST – The King of King and Lord of Lord. Finally, never forget that He loves you!

Guto Lopes

Inspired by the Lord, Jesus Christ, to be a little whisper in the vast cloudy field of IT by sharing the little I know with my neighbors.
“SOLI DIO GLORIA = To God Alone Be The Glory”

PING ME ON ODESK.COM 4 ANY HELP YOU MIGHT NEED.
https://www.odesk.com/users/~014545e3518f735b9c

Facebook 


All rights reserved ©

Share on TumblrShare via email
This entry was posted in advanced level, fedora, how to, news, server settings. Bookmark the permalink.

3 Responses to OPTIMIZE & INSTALL OPENSSL

  1. chanel outlet | December 3, 2012 at 8:49 pm | Reply

    I’m still learning from you, but I’m making my way to the top as well. I certainly liked reading all that is posted on your website.Keep the tips coming. I enjoyed it!
    chanel outlet http://chaneloutlet.v5s7.com

  2. guild wars 2 gold | December 8, 2012 at 6:53 am | Reply

    Hi, I want to subscribe for this web site to get newest updates, so where can i do it please help out.

    • alopes | December 10, 2012 at 2:01 pm | Reply

      At the lower right corner of your screen, there is a link to allow you to subscribe to the this site.

      cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

*


6 + 3 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="">