PCI Compliance and openssl-1.0.0c
Posted by SpiesInOrbit on Wed 9 Mar 2011 at 08:20
For some, the stable biased Debian is too conservative and apparently OpenSSL has a bug that breaks PCI compliance.
CVE-2009-1379 CVE-2010-4180 CVE-2010-4252
For e-commerce sites this can be an issue. Due to recent changes in the credit card laws all sites accepting credit cards must meet PCI compliance. Its my opinion this is a poor upgrade path for security, since truly, openssl's patch of version 0.9.8o-4 should be sufficient, rather than require a version change. Either way openssl-1.0.0c is only available through the experimental repositories.
Addition of the following source to /etc/apt/sources.list.d/openssl-1.0.0c
deb http://ftp.debian.org/debian experimental main
followed by:
apt-get update apt-get -t experimental install openssl
This is where I thought the crisis would end...
Apparently, you have to compile openssl-1.0.0c from source and include ssl v2, because apache2 2.2.16 won't compile without it and openssl-1.0.0c excludes it by default.
cd /usr/src apt-get source openssl=1.0.0c-2 apt-get source apache2 cd openssl-* apt-get build-dep openssl=1.0.0c-2
Now we have to enable sslv2. I'm still learning the package manager protocol, so someone feel free to jump in here with some "best practices". Edit 'debian/rules'.
vi debian/rules # -- change -- CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl \ no-idea no-mdc2 no-rc5 zlib enable-tlsext no-sslv2 # -- to -- CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl \ no-idea no-mdc2 no-rc5 zlib enable-tlsext # Now we need to build the packages again. debuild -us -uc
I advise using GNU screen here because its nice to be able to disconnect and do something else while it compiles.
Now we need to compile apache2 with the new openssl libs.
cd ../apache2-* vi debian/rules # -- change -- AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok \ -I/usr/include/openssl -Wall -Wformat -Wformat-security \ -D_FORTIFY_SOURCE=2 -fstack-protector # -- to -- AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok \ -I/usr/src/openssl-1.0.0c/include/openssl -Wall -Wformat \ -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector
Now we need to compile apache2.
apt-get build-dep apache2 debuild -us -uc cd .. dpkg -i apache2.2-bin_2.2.16-6_amd64.deb \ apache2.2-common_2.2.16-6_amd64.deb \ apache2-utils_2.2.16-6_amd64.deb # for me I using prefork because of php dpkg -i apache2-mpm-prefork_2.2.16-6_amd64.deb
This should restart apache. You can check the install with phpinfo(). Please Note, you will have to disable SSLv2 since it has weak ciphers. This can be done by adding appending '-SSLv2' to the following line in your ssl.conf.
vi /etc/apache2/mods-avaliable/ssl.conf SSLProtocol all -SSLv2 service apache2 restart
After the restart you should be good with ssl and PCI Compliance
security-tracker.debian.org/tracker/CVE-2010-4252
security-tracker.debian.org/tracker/CVE-2009-1379
security-tracker.debian.org/tracker/CVE-2010-4180
There is absolutely no need to use experimental! Juste use stable and stable security.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]