Difference between pages "DVDless install" and "OpenSSL"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Firewalling NFS)
 
(Using Certificates)
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
The (local) network is an additional choice to install Slackware from when your hardware has this capability. Installing from the local network is much faster than from a DVD and is a good choice when playing around with the installation. This page explains how to configure a Slackware server for this usage. It was inspired by the [http://alien.slackbook.org/dokuwiki/doku.php?id=slackware:pxe AlienBob's blog page] on the same topic. To install Slackware over the network we need :
+
== What is OpenSSL ? ==
  
* A service to download the Slackware files during the Slackware setup. HTTP, FTP, or NFS can be used. In the example below we show how to use the NFS and FTP services included with Slackware.
+
[http://www.openssl.org/ OpenSSL] is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.
* A service implementing the TFTP protocol. TFTP is used to effectively download the bootstrap code from the server identified. We will use the TFTP protocol included with Slackware.
 
  
* A service implementing the BOOTP protocol. BOOTP is used by the PXE firmware to identify on the network a server to download the bootloader code from. The DHCP server included with the Slackware distribution has this capability.
+
Since OpenSSL 1.0.1g, members of the [http://http://www.openbsd.org/ OpenBSD] project forked OpenSSL to create a project named [http://www.libressl.org/ LibreSSL] that can be used as a plugin replacement for OpenSSL.
  
== Configuring NFS ==
+
To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories]. The official documentation can be found on the official http site [http://www.openssl.org openssl.org] but is somewhat cryptic. '''man openssl''' is a better option.
  
NFS is SUN's Network File System. It is lightning fast and can be used as a mount point, but depending on configuration may be unsecure and must be used locally only. Also, it uses some random port numbers that need to be fixed if firewalling. The directories used are defined in '''/etc/exports'''. Edit as follows. '''ro''' means read-only, '''sync''' makes sure that no asynchronous requests are made, '''insecure''' affords using different NFS ports from other NFS implementations, '''all_squash''' maps all uids and gids to the anonymous user for public access, '''no_subtree_check''' improves reliability in some circumstances. See '''man exports''' for more details.
+
From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as '''smtp http pop3 nntp imap ldap'''. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. '''BUT''' the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.
  
# See exports(5) for a description.
+
{| {{thead}}
# This file contains a list of all directories exported to other computers.
+
|-
# It is used by rpc.nfsd and rpc.mountd.
+
! {{chead}} | Protocol
+
! {{chead}} | Port #
/var/pub      192.168.53.1/24(ro,sync,insecure,all_squash,no_subtree_check)
+
! {{chead}} | Secure Protocol
 +
! {{chead}} | Secure Port #
 +
! {{chead}} | Service
 +
|-
 +
|SMTP||25||SMTPS||465||Mail exchange
 +
|-
 +
|HTTP||80||HTTPS||443||Web browsing
 +
|-
 +
|POP3||110||POP3S||995||Mail retrieval
 +
|-
 +
|NTTP||119||NTTPS||563||News exchange
 +
|-
 +
|IMAP||143||IMAPS||993||Mail retrieval
 +
|-
 +
|LDAP||389||LDAPS||636||Ldap Directory
 +
|}
 +
 
 +
<br clear=all>
  
The NFS server is launched using '''/etc/rc.d/rc.nfsd'''. Make this script executable so as to use it on every boot. You can also '''start''' it to test it immediately. The NFS client is launched using '''/etc/rc.d/rc.rpc''' and affords using NFS mount points from other NFS servers. Make this script executable if you want to use it and have it started on every reboot. This can be handy to cross-test NFS machines. Otherwise it should not be necessary.
+
== Use only TLS ==
  
# chmod u+x /etc/rc.d/rc.nfsd
+
<u>Please note</u> : the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2
# chmod u+x /etc/rc.d/rc.rpc
 
  
== Configuring FTP ==
+
== Compiling OpenSSL ==
  
As SSH affords encrypted authentication and transfers, FTP will be used on our site only for anonymous public downloads. FTP uses fixed port numbers so it is easy to firewall, but it is much slower than NFS. Slackware includes two FTPs : ProFTPd and vsFTP. We will use the latter. Using vsFTP requires very little configuration : setting the home directory of the ftp user to where we want our files to be downloaded from, uncommenting the correct '''ftp''' line in '''/etc/inetd.conf''' and '''/etc/rc.d/rc.inetd restart''', updating the firewall rules. For more details '''man vsftpd.conf'''.
+
OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories], which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :
 
# usermod --home /var/pub ftp
 
. . .
 
# Very Secure File Transfer Protocol (FTP) server.
 
ftp    stream  tcp    nowait  root    /usr/sbin/tcpd  vsftpd
 
. . .
 
# /etc/rc.d/rc.inetd restart
 
. . .
 
# services on local network FTP BOOTP HTTP NNTP IMAP HTTPS SUBMIT VNC VOIP
 
iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/16
 
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/16
 
  
== Putting the Slackware install files online ==
+
<font color=red>Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using '''ls /usr/lib/*ssl*''' first.</font>
  
Copy the content of the slackware DVD to a disk directory, for instance '''/var/pub/slackware64-15.0'''
+
Installing OpenSSL is otherwise quite straigthforward :
  
  # mkdir /mnt/dvd
+
  # tar -C /usr/local -xvf openssl-x.y.z.tar.gz
  # mkdir /var/pub/slackware64-15.0
+
# cd /usr/local
  # mount -o loop slackware64-15.0-install-dvd.iso /mnt/dvd
+
# chown -R root openssl-x.y.z
  # cp -a /mnt/dvd/* /var/pub/slackware64-15.0/
+
# chgrp -R root openssl-x.y.z
  # umount /mnt/dvd
+
# cd openssl-x.y.z
 +
# vi README
 +
# vi INSTALL
 +
  # make clean
 +
# ./config --prefix=/usr/local --openssldir=/etc/ssl shared
 +
# make
 +
# make test
 +
# cd /var/log/packages
 +
# removepkg openssl-x.y.z-X86_64-2
 +
  # removepkg openssl-solibs-x.y.z-X86_64-2
 +
# cd /usr/local/openssl-x.y.z
 +
# make install
 +
# make clean
 +
# cd ../lib
 +
# mv libssl* ../lib64
 +
# mv libcrypto* ../lib64
 +
  # cd pkgconfig
 +
# mv *ssl.pc ../../lib64/pkgconfig
 +
# mv *crypto.pc ../../lib64/pkgconfig
 +
# cd /usr/lib64
 +
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
 +
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
 +
# ldconfig
 +
# cd /etc/ssl
 +
  # cp -r man /usr/local
 +
# rm -r man
 +
# reboot
  
During install, when asked for the source directory specify subdirectory '''slackware64''' that is, '''/var/pub/slackware64-15.0/slackware64'''
+
'''reboot''' affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using '''installpkg'''.
  
The Slackware network setup uses NFS version 3 meaning that directory paths are absolute.
+
== Using OpenSSL ==
  
== Configuring TFTPBOOT ==
+
Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as '''smtp http pop3 nntp imap ldap'''.
  
TFTP is the trivial ftp protocol (for use on a local network). Let's create the '''tftp bootp''' file structure under the default '''/tftpboot''' directory. The directory where we store the bootloader files is '''/tftpboot/slackware64-15.0''' :
+
== Using Certificates ==
  
# mkdir /tftpboot
+
Using a server certificate will afford remote '''smtp http pop3 nntp imap ldap''' clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.
# mkdir /tftpboot/slackware64-15.0
 
# mkdir /tftpboot/slackware64-15.0/pxelinux.cfg
 
# cp /usr/share/syslinux/pxelinux.0 /tftpboot/slackware64-15.0/
 
# cp /var/pub/slackware64-15.0/isolinux/message.txt /tftpboot/slackware64-15.0/
 
# cp /var/pub/slackware64-15.0/isolinux/f2.txt /tftpboot/slackware64-15.0/
 
# cp -a /var/pub/slackware64-15.0/kernels /tftpboot/slackware64-15.0/
 
# cp /var/pub/slackware64-15.0/usb-and-pxe-installers/pxelinux.cfg_default /tftpboot/slackware64-15.0/pxelinux.cfg/default
 
# cp /var/pub/slackware64-15.0/isolinux/initrd.img /tftpboot/slackware64-15.0/
 
  
Tftpboot is handled by '''inetd'''. To activate it, uncomment the tftp line in '''/etc/inetd.conf''' then '''/etc/rc.d/rc.inetd restart''' or reboot.
+
To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.
  
tftp  dgram  udp    wait    root    /usr/sbin/in.tftpd  in.tftpd -s /tftpboot -r blksize
+
This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.
  
== Configuring DHCP ==
+
The home of the '''OpenSSL''' configuration is '''/etc/ssl'''. It initially include directories '''certs misc private''' to store the certificates, and a configuration file '''openssl.cnf''', that must be edited first. You might want to change dir and certificate to these values :
  
We configure '''/etc/dhcpd.conf''' as follows. Our subnet is '''192.168.53.0''', our network mask '''255.255.255.0''', our IP address is '''192.168.53.1''', our router address '''192.168.53.254'''. The IP DHCP range is '''192.168.53.154''' to '''192.168.53.253'''. For more details on other configuration possbilities, '''man dhcpd.conf'''.
+
dir = /etc/ssl # Where everything is kept
 +
certificate = $certs/cacert.pem # The CA certificate
  
# dhcpd.conf
+
<big><u>To create a self-signed certification authority certificate :</u></big>
#
 
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
 
#
 
 
# If this DHCP server is the official DHCP server for the local
 
# network, the authoritative directive should be uncommented.
 
authoritative;
 
ddns-update-style none;
 
 
# Allow bootp requests
 
allow bootp;
 
 
# Point to the TFTP server:
 
next-server 192.168.53.1;
 
 
# Default lease is 1 week (604800 sec.)
 
default-lease-time 604800;
 
# Max lease is 4 weeks (2419200 sec.)
 
max-lease-time 2419200;
 
 
subnet 192.168.53.0 netmask 255.255.255.0 {
 
    option domain-name "studioware.com";
 
    option broadcast-address 192.168.53.255;
 
    option subnet-mask 255.255.255.0;
 
    option domain-name-servers 192.168.53.1;
 
    option routers 192.168.53.254;
 
    range dynamic-bootp 192.168.53.154 192.168.53.253;
 
    use-host-decl-names on;
 
    if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
 
      filename "/slackware64-15.0/pxelinux.0";
 
    }
 
}
 
  
Next is to create a script '''/etc/rc.d/rc.dhcpd''' to launch dhcp. Our bridged interface is '''br0''' :
+
<font color=red>Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name).</font>
  
  #!/bin/sh
+
  # '''cd /etc/ssl'''
#
+
  # '''openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf'''
# /etc/rc.d/rc.dhcpd
 
#      This shell script takes care of starting and stopping
 
#      the ISC DHCPD service
 
  #
 
 
# Put the command line options here that you want to pass to dhcpd:
 
DHCPD_OPTIONS="-q '''br0'''"
 
 
[ -x /usr/sbin/dhcpd ] || exit 0
 
 
[ -f /etc/dhcpd.conf ] || exit 0
 
 
   
 
   
  start() {
+
  Generating a 1024 bit RSA private key
      # Start daemons.
+
.........++++++
      echo -n "Starting dhcpd: /usr/sbin/dhcpd $DHCPD_OPTIONS "
+
  .............++++++
      /usr/sbin/dhcpd $DHCPD_OPTIONS
+
writing new private key to 'private/cakey.pem'
      echo
+
  Enter PEM pass phrase:
  }
+
  Verifying - Enter PEM pass phrase:
  stop() {
+
-----
      # Stop daemons.
+
You are about to be asked to enter information that will be incorporated
      echo -n "Shutting down dhcpd: "
+
  into your certificate request.
      killall -TERM dhcpd
+
  What you are about to enter is what is called a Distinguished Name or a DN.
      echo
+
There are quite a few fields but you can leave some blank
  }
+
  For some fields there will be a default value,
  status() {
+
  If you enter '.', the field will be left blank.
  PIDS=$(pidof dhcpd)
+
  -----
  if [ "$PIDS" == "" ]; then
+
  Country Name (2 letter code) [AU]:'''FR'''
    echo "dhcpd is not running!"
+
  State or Province Name (full name) [Some-State]:'''.'''
  else
+
  Locality Name (eg, city) []:'''Rennes'''
    echo "dhcpd is running at pid(s) ${PIDS}."
+
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
  fi
+
Organizational Unit Name (eg, section) []:'''CA'''
  }
+
Common Name (eg, YOUR name) []:'''Studioware.com'''
  restart() {
+
  Email Address []:'''nospam@studioware.com'''
      stop
 
      start
 
  }
 
   
 
  # See how we were called.
 
  case "$1" in
 
  start)
 
        start
 
        ;;
 
  stop)
 
        stop
 
        ;;
 
  restart)
 
        stop
 
        start
 
        ;;
 
  status)
 
        status
 
        ;;
 
  *)
 
        echo "Usage: $0 {start|stop|status|restart}"
 
        ;;
 
  esac
 
 
exit 0
 
  
Next is to make '''/etc/rc.d/rc.dhcpd''' executable, launch it from '''/etc/rc.d/rc.local''' and stop it from '''/etc/rc.d/rc.local_shutdown''' :
+
<big><u>To create a server certificate request :</u></big>
  
# chmod u+x rc.dhcpd
+
<font color=red> Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist.</font>
. . .
 
# start dhcpd
 
if [ -x /etc/rc.d/rc.dhcpd ]; then
 
        /etc/rc.d/rc.dhcpd start
 
fi
 
. . .
 
# stop dhcpd
 
if [ -x /etc/rc.d/rc.dhcpd ]; then
 
    /etc/rc.d/rc.dhcpd stop
 
fi
 
  
== Firewalling NFS ==
+
# '''cd /etc/ssl'''
 
+
# '''mkdir newcerts'''
Refer to [[IPTables]] for an introduction on packet filtering. NFS uses some random ports by defaults, that we need to fix if we want to be able to do proper packet filtering. To be precise, NFS uses sunrpc/111 and nfsd/2049, and random port numbers are used by other NFS daemons but it is possible to specify alternative port numbers on the command line or in the '''/etc/services''' file, to which we add :
+
# '''openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf'''
 +
 +
Generating a 1024 bit RSA private key
 +
................................++++++
 +
..................++++++
 +
writing new private key to 'newkey.pem'
 +
Enter PEM pass phrase:
 +
Verifying - Enter PEM pass phrase:
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:'''FR'''
 +
State or Province Name (full name) [Some-State]:'''.'''
 +
Locality Name (eg, city) []:'''Rennes'''
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 +
Organizational Unit Name (eg, section) []:'''MTA'''
 +
Common Name (eg, YOUR name) []:'''inner.studioware.com'''
 +
Email Address []:'''nospam@studioware.com'''
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:
 +
An optional company name []:
  
rpc.nfs-cb      32764/tcp  # RPC nfs callback
+
<big><u>To sign the server certificate request :</u></big>
rpc.nfs-cb      32764/udp  # RPC nfs callback
 
status          32765/udp  # NFS status (listen)
 
status          32765/tcp  # NFS status (listen)
 
status          32766/udp  # NFS status (send)
 
status          32766/tcp  # NFS status (send)
 
mountd          32767/udp  # NFS mountd
 
mountd          32767/tcp  # NFS mountd
 
lockd          32768/udp  # NFS lock daemon/manager
 
lockd          32768/tcp  # NFS lock daemon/manager
 
rquotad        32769/udp  # NFS rquotad
 
rquotad        32769/tcp  # NFS rquotad
 
  
The '''/etc/rc.d/rc.nfsd''' and '''/etc/rc.d/rc.rpc''' scripts are modified to specify port numbers on the command lines :
+
# '''cd /etc/ssl'''
 
+
# '''cat </dev/null >index.txt'''
  if [ -x /usr/sbin/rpc.rquotad ]; then
+
# '''cat >serial'''
  echo " /usr/sbin/rpc.rquotad '''-p 32769'''"
+
  '''01'''
  /usr/sbin/rpc.rquotad '''-p 32769'''
+
  '''<ctrl>d'''
  fi
+
# '''cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem'''
 +
# '''openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem'''
 +
  Using configuration from openssl.cnf
 +
Enter pass phrase for /etc/ssl/private/cakey.pem:
 +
Check that the request matches the signature
 +
Signature ok
 +
Certificate Details:
 +
        Serial Number: 1 (0x1)
 +
        Validity
 +
            Not Before: Jan  2 13:40:43 2007 GMT
 +
            Not After : Jan  2 13:40:43 2008 GMT
 +
        Subject:
 +
            countryName              = FR
 +
            localityName              = Rennes
 +
            organizationName          = Studioware
 +
            organizationalUnitName    = MTA
 +
            commonName                = Jean-Pierre Menicucci
 +
            emailAddress              = nospam@studioware.com
 +
        X509v3 extensions:
 +
            X509v3 Basic Constraints:
 +
                CA:FALSE
 +
            Netscape Comment:
 +
                OpenSSL Generated Certificate
 +
            X509v3 Subject Key Identifier:
 +
                06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
 +
            X509v3 Authority Key Identifier:
 +
                keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93
 
   
 
   
  if [ -x /usr/sbin/rpc.mountd ]; then
+
  Certificate is to be certified until Jan  2 13:40:43 2008 GMT (365 days)
  echo "  /usr/sbin/rpc.mountd '''-p 32767'''"
+
Sign the certificate? [y/n]:'''y'''
  /usr/sbin/rpc.mountd '''-p 32767'''
 
fi
 
 
   
 
   
  if ! ps axc | grep -q rpc.statd ; then
+
  1 out of 1 certificate requests certified, commit? [y/n]'''y'''
  echo "Starting RPC NSM (Network Status Monitor):  /sbin/rpc.statd '''-p 32765 -o 32766'''"
+
Write out database with 1 new entries
  /sbin/rpc.statd '''-p 32765 -o 32766'''
+
  Data Base Updated
  fi
 
  
To make the lock daemon listen on port '''32768''' only and set the nfs callback port to '''32764''' we need to create file '''/etc/sysctl.d/nfs.conf''' :
+
<big><u>To remove the pass phrase from the server private key :</u></big>
  
fs.nfs.nlm_udpport=32768
+
<font color=red>Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention.</font>
fs.nfs.nlm_tcpport=32768
 
fs.nfs.nfs_callback_tcpport=32764
 
  
Last BOOTP and the NFS ports must be added to '''/etc/rc.d/rc.firewall''' :
+
# '''openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure'''
 +
Enter pass phrase for newcerts/mtakey.pem:
 +
writing RSA key
  
# by default no local traffic is allowed for network 192.168.0.0/16 on br0 interface
+
<big><u>To move the files to the right directories with the right rights and clean up :</u></big>
# iptables -A INPUT -i br0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
+
 
# iptables -A OUTPUT -o br0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
+
  # '''cd newcerts'''
+
  # '''ls'''
  # BOOTP
+
  01.pem mta.pem mtacert.pem mtakey.pem mtakey.pem.unsecure mtareq.pem
iptables -A INPUT -p udp -j ACCEPT --dport 69 -s 192.168.0.0/16
+
  # '''mv mtacert.pem ../certs'''
+
  # '''mv mtakey* ../private'''
  # NFS ports
+
  # '''rm 01.pem mta.pem mtareq.pem'''
  iptables -A INPUT -p udp -j ACCEPT --dport 111 -s 192.168.0.0/16
+
  # '''cd ../certs'''
  iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/16
+
  # '''chmod go+r *'''
  iptables -A INPUT -p udp -j ACCEPT --dport 2049 -s 192.168.0.0/16
+
  # '''cd ../private'''
  iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/16
+
  # '''chmod go-r *'''
  iptables -A INPUT -p udp -j ACCEPT --dport 32764 -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32765 -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32766 -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32767 -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32768 -s 192.168.0.0/16
 
iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/16
 
iptables -A INPUT -p udp -j ACCEPT --dport 32769 -s 192.168.0.0/16
 
iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/16
 
  
== Slackware setup ==
+
When renewing an existing certificate mtakey.pem, the following commands afford making the required copies :
  
A few pieces of advice to make your Slackware setup from network easier :
+
# '''cp mtakey.pem.unsecure apache.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure news.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure'''
 +
# '''chown apache:apache apache.mtakey.pem.unsecure'''
 +
# '''chown asterisk:asterisk asterisk.mtakey.pem.unsecure'''
 +
# '''chown ldap:ldap ldap.mtakey.pem.unsecure'''
 +
# '''chown smmsp:smmsp smmsp.mtakey.pem.unsecure'''
 +
# '''chown news:news news.mtakey.pem.unsecure'''
 +
# '''cd ../certs'''
 +
# '''vi mtacert.pem'''
 +
d59d
 +
:$
 +
:r ../private/mtakey.pem.unsecure
 +
:w! server.pem
 +
:x
 +
# '''chown cyrus:mail server.pem'''
 +
# '''chmod 600 server.pem'''
  
* For some reason Slackare might use an interface other than eth0. Just move the cable to the right slot or update (or remove) /etc/udev/rules.d/70-persistent-net.rules.
+
<big><u>To check an external certificate</u></big>
  
* Slackware network setup uses NFS version 3 meaning that directory paths are absolute.
+
For OpenSSL to use an external certification authority certificate, you need to place in your '''/etc/ssl/certs''' directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :
  
* The FTP directory paths are instead relative to the ftp user home directory.
+
# C=CertificateFileName
 +
# ln -s $C `openssl x509 -noout -hash < $C`.0
  
<br/>
+
<br>
  
{{pFoot|[[Managing partitions]]|[[Main Page]]|[[Installing Slackware]]}}
+
{{pFoot|[[Creating VMs]]|[[Main Page]]|[[OpenLDAP]]|}}

Latest revision as of 21:24, 9 January 2025

What is OpenSSL ?

OpenSSL is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.

Since OpenSSL 1.0.1g, members of the OpenBSD project forked OpenSSL to create a project named LibreSSL that can be used as a plugin replacement for OpenSSL.

To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the Slackware security advisories. The official documentation can be found on the official http site openssl.org but is somewhat cryptic. man openssl is a better option.

From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as smtp http pop3 nntp imap ldap. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. BUT the SSL protocols were superseded by TLS and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.

Protocol Port # Secure Protocol Secure Port # Service
SMTP 25 SMTPS 465 Mail exchange
HTTP 80 HTTPS 443 Web browsing
POP3 110 POP3S 995 Mail retrieval
NTTP 119 NTTPS 563 News exchange
IMAP 143 IMAPS 993 Mail retrieval
LDAP 389 LDAPS 636 Ldap Directory


Use only TLS

Please note : the SSL protocols were superseded by TLS and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2

Compiling OpenSSL

OpenSSL is part of the base Slackware distribution and so benefits from the Slackware security advisories, which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :

Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using ls /usr/lib/*ssl* first.

Installing OpenSSL is otherwise quite straigthforward : 

# tar -C /usr/local -xvf openssl-x.y.z.tar.gz
# cd /usr/local
# chown -R root openssl-x.y.z
# chgrp -R root openssl-x.y.z
# cd openssl-x.y.z
# vi README
# vi INSTALL
# make clean
# ./config --prefix=/usr/local --openssldir=/etc/ssl shared
# make
# make test
# cd /var/log/packages
# removepkg openssl-x.y.z-X86_64-2
# removepkg openssl-solibs-x.y.z-X86_64-2
# cd /usr/local/openssl-x.y.z
# make install
# make clean
# cd ../lib
# mv libssl* ../lib64
# mv libcrypto* ../lib64
# cd pkgconfig
# mv *ssl.pc ../../lib64/pkgconfig
# mv *crypto.pc ../../lib64/pkgconfig
# cd /usr/lib64
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
# ldconfig
# cd /etc/ssl
# cp -r man /usr/local
# rm -r man
# reboot

reboot affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using installpkg.

Using OpenSSL

Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as smtp http pop3 nntp imap ldap.

Using Certificates

Using a server certificate will afford remote smtp http pop3 nntp imap ldap clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.

To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.

This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.

The home of the OpenSSL configuration is /etc/ssl. It initially include directories certs misc private to store the certificates, and a configuration file openssl.cnf, that must be edited first. You might want to change dir and certificate to these values : 

dir 		= /etc/ssl		# Where everything is kept
certificate	= $certs/cacert.pem	# The CA certificate

To create a self-signed certification authority certificate :

Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name). 

# cd /etc/ssl
# openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf

Generating a 1024 bit RSA private key
.........++++++
.............++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Studioware
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:Studioware.com
Email Address []:nospam@studioware.com

To create a server certificate request :

Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist. 

# cd /etc/ssl
# mkdir newcerts
# openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf

Generating a 1024 bit RSA private key
................................++++++
..................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Studioware
Organizational Unit Name (eg, section) []:MTA
Common Name (eg, YOUR name) []:inner.studioware.com
Email Address []:nospam@studioware.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To sign the server certificate request : 

# cd /etc/ssl
# cat </dev/null >index.txt
# cat >serial
01
<ctrl>d
# cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem
# openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 1 (0x1)
       Validity
           Not Before: Jan  2 13:40:43 2007 GMT
           Not After : Jan  2 13:40:43 2008 GMT
       Subject:
           countryName               = FR
           localityName              = Rennes
           organizationName          = Studioware
           organizationalUnitName    = MTA
           commonName                = Jean-Pierre Menicucci
           emailAddress              = nospam@studioware.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
           X509v3 Authority Key Identifier:
               keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93

Certificate is to be certified until Jan  2 13:40:43 2008 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

To remove the pass phrase from the server private key :

Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention. 

# openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure
Enter pass phrase for newcerts/mtakey.pem:
writing RSA key

To move the files to the right directories with the right rights and clean up : 

# cd newcerts
# ls
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
# mv mtacert.pem ../certs
# mv mtakey* ../private
# rm 01.pem mta.pem mtareq.pem
# cd ../certs
# chmod go+r *
# cd ../private
# chmod go-r *

When renewing an existing certificate mtakey.pem, the following commands afford making the required copies : 

# cp mtakey.pem.unsecure apache.mtakey.pem.unsecure
# cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure
# cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure
# cp mtakey.pem.unsecure news.mtakey.pem.unsecure
# cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure
# chown apache:apache apache.mtakey.pem.unsecure
# chown asterisk:asterisk asterisk.mtakey.pem.unsecure
# chown ldap:ldap ldap.mtakey.pem.unsecure
# chown smmsp:smmsp smmsp.mtakey.pem.unsecure
# chown news:news news.mtakey.pem.unsecure
# cd ../certs
# vi mtacert.pem
d59d
:$
:r ../private/mtakey.pem.unsecure
:w! server.pem
:x
# chown cyrus:mail server.pem
# chmod 600 server.pem

To check an external certificate

For OpenSSL to use an external certification authority certificate, you need to place in your /etc/ssl/certs directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way : 

# C=CertificateFileName
# ln -s $C `openssl x509 -noout -hash < $C`.0


Creating VMs Main Page OpenLDAP
Retrieved from "http://studioware.com/wikislax/index.php?title=DVDless_install&oldid=107"