openssl

sendmail dh key too small

Logjam broke Sendmail?

Generate new DH keys file:

cd /etc/pki/tls/certs
openssl dhparam -out dhparams.pem 2048

Edit sendmail.mc:

define(`confDH_PARAMETERS';,`/etc/pki/tls/certs/dhparams.pem')dnl

Update sendmail.cf and restart:

cd /etc/mail
make
service sendmail restart

Refer to https://weakdh.org/sysadmin.html for other service fixes.

md5 and sha1 digest with openssl

md5 digest:

echo -n 'md5 digest of text' | openssl dgst -md5
841fc570f41fad1a64cc237b16127225

sha1 digest:

echo -n 'sha1 digest of text' | openssl dgst -sha1
80efdb4abbeb92c0ea15a4146d68c39adff5ad47

base64 encoding decoding with openssl

Base64 encoding with openssl:

echo -n 'encode this with base64' | openssl enc -base64
ZW5jb2RlIHRoaXMgd2l0aCBiYXNlNjQ=

Base64 decoding with openssl:

echo 'ZW5jb2RlIHRoaXMgd2l0aCBiYXNlNjQ=' | openssl enc -base64 -d
encode this with base64

Shadow password hash explained

You can programmatically generate shadow password hash via:

$ openssl passwd -1 -salt G5cYam5w test.123
$1$G5cYam5w$z0NDUjMRX4xVBKw9Nb6YL0

-1 means md5
G5cYam5w is a random salt (minimum 8)
test.123 is the password

Here is the breakdown:

The first $1 means that it is an md5 hash.
The second $G5cYam5w is a random salt.
The third $z0NDUjMRX4xVBKw9Nb6YL0 is the md5 hash.

Checking Ubuntu Servers for openssh and openssl vulnerable keys

  1. Update openssh and openssl packages
    # apt-get update
    # apt-get install openssh openssl
  2. Install openssh-blacklist and openssl-blacklist
    # apt-get install openssh-blacklist openssl-blacklist
  3. Check all ssh compromised keys via:
    # ssh-vulnkeys -a
  4. Check all ssl keys and certificates via:
    # openssl-vulnkeys *.key *.pem

    Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

Static compile of openssl, apache, mod_ssl and php

As of this writing, the latest versions were:

  • apache_1.3.41
  • php-4.4.8
  • openssl-0.9.8g
  • mod_ssl-2.8.31-1.3.41

Once the files are downloaded and extracted; config, compile and install in the below order:

  1. Install openssl:
    $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
    $ make
    # make install
  2. mod_ssl patch:
    $ ./configure \
    --with-ssl=../openssl-0.9.8g \
    --with-apache=../apache_1.3.41
  3. Pre-configure apache:
    $ ./configure
  4. Install php:
    $ ./configure \
    --with-gd \
    --with-jpeg-dir \
    --with-png-dir \
    --with-zlib-dir \
    --with-freetype \
    --with-freetype-dir=/usr/lib \
    --enable-gd-native-ttf \
    --enable-memory-limit \
    --with-ldap \
    --with-mysql \
    --with-apache=../apache_1.3.41
    $ make
    # make install
  5. Install apache
    $ SSL_BASE=../openssl-0.9.8g \
    ./configure \
    --prefix=/usr/local/apache \
    --enable-module=rewrite \
    --enable-module=so \
    --activate-module=src/modules/php4/libphp4.a \
    --enable-module=ssl

STARTTLS: CRLFile missing (RESOLVED)

When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from cacert.org, add the below option in sendmail.mc and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget http://www.cacert.org/revoke.crl

Add the below line to "/etc/mail/sendmail.mc" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check sendmail.cf with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

Static compile and install of apache + mod_ssl + php on FC4

Latest Compile with pdo drivers for mysql along with mod_security.

NOTE:
Remove the MySQL-shared rpm else openssl will not work.

# rpm -e MySQL-shared-5.0.20a-0.glibc23

Comment