back       next
Home

openssl

Checking Ubuntu Servers for openssh and openssl vulnerable keys

Submitted by sandip on Sun, 06/22/2008 - 21:33. | Tags:
1
point
  1. Update openssh and openssl packages
    # apt-get update
    # apt-get install openssh openssl

  2. Install openssh-blacklist and openssl-blacklist
    # apt-get install openssh-blacklist openssl-blacklist

  3. Check all ssh compromised keys via:
    # ssh-vulnkeys -a

  4. Check all ssl keys and certificates via:
    # openssl-vulnkeys *.key *.pem

    Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

»

Static compile of openssl, apache, mod_ssl and php

Submitted by wizap on Tue, 02/26/2008 - 16:47. | Tags:
2
points

As of this writing, the latest versions were:

  • apache_1.3.41
  • php-4.4.8
  • openssl-0.9.8g
  • mod_ssl-2.8.31-1.3.41

Once the files are downloaded and extracted; config, compile and install in the below order:

  1. Install openssl:
    $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
    $ make
    # make install

  2. mod_ssl patch:
    $ ./configure \
    --with-ssl=../openssl-0.9.8g \
    --with-apache=../apache_1.3.41

  3. Pre-configure apache:
    $ ./configure

  4. Install php:
    $ ./configure \
    --with-gd \
    --with-jpeg-dir \
    --with-png-dir \
    --with-zlib-dir \
    --with-freetype \
    --with-freetype-dir=/usr/lib \
    --enable-gd-native-ttf \
    --enable-memory-limit \
    --with-ldap \
    --with-mysql \
    --with-apache=../apache_1.3.41
    $ make
    # make install

  5. Install apache
    $ SSL_BASE=../openssl-0.9.8g \
    ./configure \
    --prefix=/usr/local/apache \
    --enable-module=rewrite \
    --enable-module=so \
    --activate-module=src/modules/php4/libphp4.a \
    --enable-module=ssl

»

STARTTLS: CRLFile missing (RESOLVED)

Submitted by sandip on Fri, 10/19/2007 - 10:20. | Tags:
1
point

When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from cacert.org, add the below option in sendmail.mc and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget http://www.cacert.org/revoke.crl

Add the below line to "/etc/mail/sendmail.mc" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check sendmail.cf with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

»

Static compile and install of apache + mod_ssl + php on FC4

Submitted by sandip on Tue, 05/22/2007 - 15:24. | Tags:
2
points

Latest Compile with pdo drivers for mysql along with mod_security.

NOTE:
Remove the MySQL-shared rpm else openssl will not work.

# rpm -e MySQL-shared-5.0.20a-0.glibc23

»

Syndicate content