Difference between pages "IPTables" and "OpenSSL"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Iptables Filtering)
 
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
Packet filtering affords opening access only to these services you have decided to open. The TCP or UDP packets include a piece of information called the port number, that is used to identify the type of service. Secure ports were defined as SSL counterparts of the native ports but were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses in the SSL protocol. SSL should not be used any longer. Instead, use TLS. Current version is v1.2.
+
== What is OpenSSL ? ==
 +
 
 +
[http://www.openssl.org/ OpenSSL] is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.
 +
 
 +
Since OpenSSL 1.0.1g, members of the [http://http://www.openbsd.org/ OpenBSD] project forked OpenSSL to create a project named [http://www.libressl.org/ LibreSSL] that can be used as a plugin replacement for OpenSSL.
 +
 
 +
To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories]. The official documentation can be found on the official http site [http://www.openssl.org openssl.org] but is somewhat cryptic. '''man openssl''' is a better option.
 +
 
 +
From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as '''smtp http pop3 nntp imap ldap'''. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. '''BUT''' the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.
  
 
{| {{thead}}
 
{| {{thead}}
 
|-
 
|-
! {{chead}} width="100" | Protocol
+
! {{chead}} | Protocol
 
! {{chead}} | Port #
 
! {{chead}} | Port #
 
! {{chead}} | Secure Protocol
 
! {{chead}} | Secure Protocol
Line 26: Line 34:
 
<br clear=all>
 
<br clear=all>
  
On server side, the services are provided by applications that may have vulnerabilities and be attacked. Examples of attacks are buffer overflow or format string attacks, that afford getting full access on the target machine by crafting special strings sent to it. An attacker could then obtain any information present there or modify or destroy the system.
+
== Use only TLS ==
 
 
To reduce the number of possible attacks, the number of services authorized, or who can access the system, must be restricted. This is known as packet filtering. It is only an aspect of security (obviously, the applications on the server side must also be secured ...), but it is important. <u>Never *** ever *** connect to the network a computer not protected by a packet filter !</u>
 
  
To illustrate, let's configure our two-interfaces computer to be its own firewall. '''eth0''' is the Internet interface, it uses network 192.168.0.x, the gateway is an ADSL router/switch at 192.168.0.254. '''eth1''' is the (Intranet) interface to the internal network 192.168.1.x.
+
<u>Please note</u> : the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2
  
== Iptables Filtering ==
+
== Compiling OpenSSL ==
  
Since Linux 2.4, packet filtering is effected inside the kernel, and configuration effected by the '''iptables''' user-space program. In addition to rules for incoming and outgoing packets, iptables affords defining rules for routing between the interfaces. The '''iptables''' command affords entering the rules '''one by one'''. Using a script affords entering all the rules. '''iptable -L -v''' affords viewing the current rules.
+
OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories], which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :
  
For more information, see the [http://www.netfilter.org/ netfilter] official site. This site has links to various documents, including a simple introduction to packet filtering in this [http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html HOWTO].
+
<font color=red>Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using '''ls /usr/lib/*ssl*''' first.</font>
  
In Slackware, the script used is <tt>'''/etc/rc.d/rc.firewall'''</tt>. It is called  automatically when the system starts or stops, using commands <tt>'''./rc.firewall start'''</tt> or <tt>'''./rc.firewall stop'''</tt>.
+
Installing OpenSSL is otherwise quite straigthforward :
  
  #! /bin/sh
+
  # tar -C /usr/local -xvf openssl-x.y.z.tar.gz
  #
+
# cd /usr/local
  # startup script for local packet filter
+
# chown -R root openssl-x.y.z
  #
+
# chgrp -R root openssl-x.y.z
  fw_start () {
+
# cd openssl-x.y.z
  echo "Loading packet filter rules"
+
# vi README
 +
# vi INSTALL
 +
# make clean
 +
# ./config --prefix=/usr/local --openssldir=/etc/ssl shared
 +
# make
 +
# make test
 +
# cd /var/log/packages
 +
# removepkg openssl-x.y.z-X86_64-2
 +
  # removepkg openssl-solibs-x.y.z-X86_64-2
 +
  # cd /usr/local/openssl-x.y.z
 +
  # make install
 +
  # make clean
 +
  # cd ../lib
 +
# mv libssl* ../lib64
 +
# mv libcrypto* ../lib64
 +
# cd pkgconfig
 +
# mv *ssl.pc ../../lib64/pkgconfig
 +
# mv *crypto.pc ../../lib64/pkgconfig
 +
# cd /usr/lib64
 +
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
 +
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
 +
# ldconfig
 +
# cd /etc/ssl
 +
# cp -r man /usr/local
 +
# rm -r man
 +
# reboot
  
The flush command affords deleting all the active nat and filtering rules:
+
'''reboot''' affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using '''installpkg'''.
  
# flush old rules
+
== Using OpenSSL ==
iptables -t nat --flush
 
iptables -flush
 
  
The -P option affords defining the default policy. A good practise is to forbid by default everything not authorized. This is done here for packets incoming, outgoing, and routed between the interfaces:
+
Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as '''smtp http pop3 nntp imap ldap'''.
  
# drop by default
+
== Using Certificates ==
iptables -P INPUT DROP
 
iptables -P FORWARD DROP
 
iptables -P OUTPUT DROP
 
  
Connections already established are authorized to continue:
+
Using a server certificate will afford remote '''smtp http pop3 nntp imap ldap''' clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.
  
# accept packets that are part of previously OK'ed sessions
+
To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
 
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
 
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
 
  
The -A option affords adding a rule. Here all the packets on the loopback interface are accepted:
+
This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.
  
# INBOUND POLICY
+
The home of the '''OpenSSL''' configuration is '''/etc/ssl'''. It initially include directories '''certs misc private''' to store the certificates, and a configuration file '''openssl.cnf''', that must be edited first. You might want to change dir and certificate to these values :
 
# pass all traffic for network 127.0.0.0/8 on loopback interface
 
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 
  
On both interfaces, we forbid communications where the remote address is a private network address, as specified by RFC 1918 (except 192.168.x.x, that we use internally). On the Internet, addresses of RFC 1918 private networks are not routable. So packets with such addresses are not expected on the internal network:
+
  dir = /etc/ssl # Where everything is kept
+
  certificate = $dir/certs/cacert.pem # The CA certificate
  # anti-spoofing rules
 
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
 
  iptables -A INPUT -s 10.0.0.0/8 -j DROP
 
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "INPUT spoofed IP "
 
iptables -A INPUT -s 172.16.0.0/12 -j DROP
 
  
The protocols corresponding to services offered or used externally are accepted:
+
<big><u>To create a self-signed certification authority certificate :</u></big>
  
# services SMTP HTTP HTTPS
+
<font color=red>Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name).</font>
iptables -A INPUT -p tcp -j ACCEPT --dport 25 -m state --state NEW
 
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
 
iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW
 
iptables -A INPUT -p tcp -j ACCEPT --dport 443 -m state --state NEW
 
  
We accept VOIP traffic from freephonie.net:
+
# '''cd /etc/ssl'''
 +
# '''openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf'''
 
   
 
   
  # services to freephonie network SIP RTP
+
Generating a 1024 bit RSA private key
  iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -m state --state NEW -s 212.27.52.0/24
+
.........++++++
  # iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 -m state --state RELATED -s 212.27.52.0/24
+
.............++++++
 +
writing new private key to 'private/cakey.pem'
 +
Enter PEM pass phrase:
 +
Verifying - Enter PEM pass phrase:
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:'''FR'''
 +
State or Province Name (full name) [Some-State]:'''.'''
 +
Locality Name (eg, city) []:'''Rennes'''
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 +
Organizational Unit Name (eg, section) []:'''CA'''
 +
Common Name (eg, YOUR name) []:'''Studioware.com'''
 +
Email Address []:'''nospam@studioware.com'''
  
The protocols corresponding to services offered on the local network are accepted:
+
<big><u>To create a server certificate request :</u></big>
  
  # services on local network FTP DNS BOOTP NNTP SUBMIT VNC SIP RTP
+
<font color=red> Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist.</font>
  iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 53 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 53 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 69 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 119 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 587 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 5088 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 5900:5910 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -m state --state NEW -s 192.168.0.0/16
 
  # iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 -m state --state RELATED -s 192.168.0.0/16
 
  
We accept X-Window traffic on the local network:
+
# '''cd /etc/ssl'''
 +
# '''mkdir newcerts'''
 +
# '''openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf'''
 +
 +
Generating a 1024 bit RSA private key
 +
................................++++++
 +
..................++++++
 +
writing new private key to 'newkey.pem'
 +
Enter PEM pass phrase:
 +
Verifying - Enter PEM pass phrase:
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:'''FR'''
 +
State or Province Name (full name) [Some-State]:'''.'''
 +
Locality Name (eg, city) []:'''Rennes'''
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 +
Organizational Unit Name (eg, section) []:'''MTA'''
 +
Common Name (eg, YOUR name) []:'''inner.studioware.com'''
 +
Email Address []:'''nospam@studioware.com'''
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:
 +
An optional company name []:
  
  # SSH-tunnelled X-Window output appears as input on interface lo
+
<big><u>To sign the server certificate request :</u></big>
  iptables -A INPUT -p udp -j ACCEPT --dport 177 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -i lo -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
 
  
We accept NFS on the local network and fix the NFS ports:
+
# '''cd /etc/ssl'''
 +
# '''cat </dev/null >index.txt'''
 +
# '''cat >serial'''
 +
'''01'''
 +
'''<ctrl>d'''
 +
# '''cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem'''
 +
# '''openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem'''
 +
Using configuration from openssl.cnf
 +
Enter pass phrase for /etc/ssl/private/cakey.pem:
 +
Check that the request matches the signature
 +
Signature ok
 +
Certificate Details:
 +
        Serial Number: 1 (0x1)
 +
        Validity
 +
            Not Before: Jan  2 13:40:43 2007 GMT
 +
            Not After : Jan  2 13:40:43 2008 GMT
 +
        Subject:
 +
            countryName              = FR
 +
            localityName              = Rennes
 +
            organizationName          = Studioware
 +
            organizationalUnitName    = MTA
 +
            commonName                = Jean-Pierre Menicucci
 +
            emailAddress              = nospam@studioware.com
 +
        X509v3 extensions:
 +
            X509v3 Basic Constraints:
 +
                CA:FALSE
 +
            Netscape Comment:
 +
                OpenSSL Generated Certificate
 +
            X509v3 Subject Key Identifier:
 +
                06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
 +
            X509v3 Authority Key Identifier:
 +
                keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93
 +
 +
Certificate is to be certified until Jan  2 13:40:43 2008 GMT (365 days)
 +
Sign the certificate? [y/n]:'''y'''
 +
 +
1 out of 1 certificate requests certified, commit? [y/n]'''y'''
 +
Write out database with 1 new entries
 +
Data Base Updated
  
  # NFS ports
+
<big><u>To remove the pass phrase from the server private key :</u></big>
  iptables -A INPUT -p udp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24
 
  
We accept samba traffic on the local network:
+
<font color=red>Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention.</font>
  
  # samba ports
+
# '''openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure'''
  iptables -A INPUT -p tcp -j ACCEPT --dport 135 -m state --state NEW -s 192.168.0.0/16
+
Enter pass phrase for newcerts/mtakey.pem:
  iptables -A INPUT -p udp -j ACCEPT --dport 135 -m state --state NEW -s 192.168.0.0/16
+
writing RSA key
  iptables -A INPUT -p tcp -j ACCEPT --dport 137 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 137 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 138 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 139 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 445 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 445 -m state --state NEW -s 192.168.0.0/16
 
  
Broadcast traffic is also OK:
+
<big><u>To move the files to the right directories with the right rights and clean up :</u></big>
  
  # pass all broadcast traffic
+
# '''cd newcerts'''
  iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT -m state --state NEW
+
# '''ls'''
 +
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
 +
# '''mv mtacert.pem ../certs'''
 +
# '''mv mtakey* ../private'''
 +
# '''rm 01.pem mta.pem mtareq.pem'''
 +
# '''cd ../certs'''
 +
# '''chmod go+r *'''
 +
# '''cd ../private'''
 +
# '''chmod go-r *'''
  
We accept pings on the local network:
+
When renewing an existing certificate mtakey.pem, the following commands afford making the required copies :
 
 
  # accept echo-request icmp packets
 
  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m state --state NEW -s 192.168.0.0/16
 
 
 
We accept antispam dcc answers:
 
 
 
  # accept dcc answers (dcc antispam service)
 
  iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 --sport 6277 -m state --state NEW
 
 
 
We could log anything not accepted above:
 
 
 
# log anything not accepted above
 
# iptables -A INPUT -j LOG --log-prefix "INPUT bad traffic "
 
 
 
We accept all outbound packets, which would for example afford using a network scanner. In a production environment, there would be a stricter policy:
 
 
 
# OUTBOUND POLICY
 
 
# accept all outbound packets
 
iptables -A OUTPUT -j ACCEPT
 
 
 
For routing between the interfaces, everything is accepted. In a production environment, there might be a stricter policy:
 
 
 
# FORWARD POLICY
 
 
# forward all outbound packets
 
iptables -A FORWARD -j ACCEPT
 
 
 
The Network Address Translation rule below affords replacing the source address in the packets coming from the internal interface by the source address of the external interface. The packets outgoing to the Internet then all seem to come from the external interface, whatever their real origin (this translation affords hiding to the outside the addresses used internally):
 
 
 
# POSTROUTING POLICY
 
 
# nat traffic going to internet with our local network address
 
iptables -t nat -A POSTROUTING -o br0 -j SNAT --to 192.168.0.1
 
}
 
 
After the fw_start() function ends, the fw_stop() function is defined to authorize everything:
 
 
 
fw_stop () {
 
  echo "Unloading all packet filter rules"
 
  iptables -t nat --flush
 
  iptables -flush
 
 
# accept by default
 
  iptables -P INPUT ACCEPT
 
  iptables -P FORWARD ACCEPT
 
  iptables -P OUTPUT ACCEPT
 
  }
 
 
case "$1" in
 
‘start’)
 
  fw_start
 
  ;;
 
’stop’)
 
  fw_stop
 
  ;;
 
’restart’)
 
  fw_start
 
  ;;
 
*)
 
  echo "usage $0 start | stop | restart"
 
  
== Testing the firewall ==
+
# '''cp mtakey.pem.unsecure apache.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure news.mtakey.pem.unsecure'''
 +
# '''cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure'''
 +
# '''chown apache:apache apache.mtakey.pem.unsecure'''
 +
# '''chown asterisk:asterisk asterisk.mtakey.pem.unsecure'''
 +
# '''chown ldap:ldap ldap.mtakey.pem.unsecure'''
 +
# '''chown smmsp:smmsp smmsp.mtakey.pem.unsecure'''
 +
# '''chown news:news news.mtakey.pem.unsecure'''
 +
# '''cd ../certs'''
 +
# '''vi mtacert.pem'''
 +
d59d
 +
:$
 +
:r ../private/mtakey.pem.unsecure
 +
:w! server.pem
 +
:x
 +
# '''chown cyrus:mail server.pem'''
 +
# '''chmod 600 server.pem'''
  
Use '''nmap -sU hostname''' (UDP) and '''nmap -sT hostname''' (TCP) to make sure what ports are visible locally and do the same from the outside.
+
<big><u>To check an external certificate</u></big>
  
== Download example ==
+
For OpenSSL to use an external certification authority certificate, you need to place in your '''/etc/ssl/certs''' directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :
  
[{{SERVER}}/wikislax/download/rc.firewall Download file rc.firewall]
+
# C=CertificateFileName
 +
# ln -s $C `openssl x509 -noout -hash < $C`.0
  
<br/>
+
<br>
  
{{pFoot|[[Configuration files]]|[[Main Page]]|[[X11 configuration]]}}
+
{{pFoot|[[Creating VMs]]|[[Main Page]]|[[OpenLDAP]]|}}

Latest revision as of 22:46, 4 November 2020

What is OpenSSL ?

OpenSSL is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.

Since OpenSSL 1.0.1g, members of the OpenBSD project forked OpenSSL to create a project named LibreSSL that can be used as a plugin replacement for OpenSSL.

To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the Slackware security advisories. The official documentation can be found on the official http site openssl.org but is somewhat cryptic. man openssl is a better option.

From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as smtp http pop3 nntp imap ldap. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. BUT the SSL protocols were superseded by TLS and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.

Protocol Port # Secure Protocol Secure Port # Service
SMTP 25 SMTPS 465 Mail exchange
HTTP 80 HTTPS 443 Web browsing
POP3 110 POP3S 995 Mail retrieval
NTTP 119 NTTPS 563 News exchange
IMAP 143 IMAPS 993 Mail retrieval
LDAP 389 LDAPS 636 Ldap Directory


Use only TLS

Please note : the SSL protocols were superseded by TLS and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2

Compiling OpenSSL

OpenSSL is part of the base Slackware distribution and so benefits from the Slackware security advisories, which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :

Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using ls /usr/lib/*ssl* first.

Installing OpenSSL is otherwise quite straigthforward : 

# tar -C /usr/local -xvf openssl-x.y.z.tar.gz
# cd /usr/local
# chown -R root openssl-x.y.z
# chgrp -R root openssl-x.y.z
# cd openssl-x.y.z
# vi README
# vi INSTALL
# make clean
# ./config --prefix=/usr/local --openssldir=/etc/ssl shared
# make
# make test
# cd /var/log/packages
# removepkg openssl-x.y.z-X86_64-2
# removepkg openssl-solibs-x.y.z-X86_64-2
# cd /usr/local/openssl-x.y.z
# make install
# make clean
# cd ../lib
# mv libssl* ../lib64
# mv libcrypto* ../lib64
# cd pkgconfig
# mv *ssl.pc ../../lib64/pkgconfig
# mv *crypto.pc ../../lib64/pkgconfig
# cd /usr/lib64
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
# ldconfig
# cd /etc/ssl
# cp -r man /usr/local
# rm -r man
# reboot

reboot affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using installpkg.

Using OpenSSL

Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as smtp http pop3 nntp imap ldap.

Using Certificates

Using a server certificate will afford remote smtp http pop3 nntp imap ldap clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.

To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.

This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.

The home of the OpenSSL configuration is /etc/ssl. It initially include directories certs misc private to store the certificates, and a configuration file openssl.cnf, that must be edited first. You might want to change dir and certificate to these values : 

dir 		= /etc/ssl		# Where everything is kept
certificate	= $dir/certs/cacert.pem	# The CA certificate

To create a self-signed certification authority certificate :

Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name). 

# cd /etc/ssl
# openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf

Generating a 1024 bit RSA private key
.........++++++
.............++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Studioware
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:Studioware.com
Email Address []:nospam@studioware.com

To create a server certificate request :

Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist. 

# cd /etc/ssl
# mkdir newcerts
# openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf

Generating a 1024 bit RSA private key
................................++++++
..................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Studioware
Organizational Unit Name (eg, section) []:MTA
Common Name (eg, YOUR name) []:inner.studioware.com
Email Address []:nospam@studioware.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To sign the server certificate request : 

# cd /etc/ssl
# cat </dev/null >index.txt
# cat >serial
01
<ctrl>d
# cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem
# openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 1 (0x1)
       Validity
           Not Before: Jan  2 13:40:43 2007 GMT
           Not After : Jan  2 13:40:43 2008 GMT
       Subject:
           countryName               = FR
           localityName              = Rennes
           organizationName          = Studioware
           organizationalUnitName    = MTA
           commonName                = Jean-Pierre Menicucci
           emailAddress              = nospam@studioware.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
           X509v3 Authority Key Identifier:
               keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93

Certificate is to be certified until Jan  2 13:40:43 2008 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

To remove the pass phrase from the server private key :

Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention. 

# openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure
Enter pass phrase for newcerts/mtakey.pem:
writing RSA key

To move the files to the right directories with the right rights and clean up : 

# cd newcerts
# ls
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
# mv mtacert.pem ../certs
# mv mtakey* ../private
# rm 01.pem mta.pem mtareq.pem
# cd ../certs
# chmod go+r *
# cd ../private
# chmod go-r *

When renewing an existing certificate mtakey.pem, the following commands afford making the required copies : 

# cp mtakey.pem.unsecure apache.mtakey.pem.unsecure
# cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure
# cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure
# cp mtakey.pem.unsecure news.mtakey.pem.unsecure
# cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure
# chown apache:apache apache.mtakey.pem.unsecure
# chown asterisk:asterisk asterisk.mtakey.pem.unsecure
# chown ldap:ldap ldap.mtakey.pem.unsecure
# chown smmsp:smmsp smmsp.mtakey.pem.unsecure
# chown news:news news.mtakey.pem.unsecure
# cd ../certs
# vi mtacert.pem
d59d
:$
:r ../private/mtakey.pem.unsecure
:w! server.pem
:x
# chown cyrus:mail server.pem
# chmod 600 server.pem

To check an external certificate

For OpenSSL to use an external certification authority certificate, you need to place in your /etc/ssl/certs directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way : 

# C=CertificateFileName
# ln -s $C `openssl x509 -noout -hash < $C`.0


Creating VMs Main Page OpenLDAP
Retrieved from "http://studioware.com/wikislax/index.php?title=IPTables&oldid=72"