The sys admin's daily grind: TLS Interposer
Rescuer at Hand
Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.
The Poodle attack (Padding Oracle On Downgraded Legacy Encryption) relied on TLS implementations that failed to respond to requests from clients with new TLS versions. They then assumed that the server did not speak TLS at all and switched to the totally obsolete and vulnerable SSLv3. Attackers simply let TLS connections crash into the wall and cheered when the client dug out SSLv3.
Heartbleed was also an implementation error. It gave attackers the ability to read 64KB of the server's RAM – multiple times in succession – thus allowing certificate keys to fall into the wrong hands. Bruce Schneier said at the time that, on a scale of 1 to 10, this was a category 11 disaster [1].
Administrators can avoid all of this pain by keeping the TLS implementations on their servers up to date. But, what if you are forced to run applications that do not even support the latest TLS versions? True to the adage of "Never change a running system," many people stubbornly stick with Apache 2.2, or other services that are of value only to archaeologists.
Catcher on the Rocks
TLS Interposer is the answer for these notorious underminers of web security. It is activated by the LD_PRELOAD
mechanism and fields API calls to the OpenSSL library. Many distributions include it in their repositories, but you can also download from GitHub [2]. After unpacking, just type
make && sudo make install
Apart from the compiler itself, you need the OpenSSL development package. This typically goes by the name libssl-dev
or something of that ilk. Once the compiler has completed its work, you should have a file named libtlsinterposer.so
.
Everything else is simple. Just make sure the service sees the LD_PRELOAD
environmental variable with the path to the libtlsinterposer.so
you just compiled. For Apache 2.2, for example, you would open /etc/apache/envvars
and add
export LD_PRELOAD=/usr/local/\ tlsinterposer/libtlsinterposer.so
After restarting the HTTP daemon, the venerable Apache then communicates with the latest TLS. You might also want to test the setup with SSLScan [3] or one of the many online services that offer a similar scan, such as the Qualys SSL Server Test [4].
Charly Kühnast
Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.
Infos
- Schneier on Security: https://www.schneier.com/blog/archives/2014/04/heartbleed.html
- TLS Interposer: https://github.com/Netfuture/tlsinterposer
- SSLScan: http://sourceforge.net/projects/sslscan/
- Qualys SSL Server Test: https://www.ssllabs.com/ssltest/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.