The sys admin's daily grind: TLS Interposer
Rescuer at Hand
Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.
The Poodle attack (Padding Oracle On Downgraded Legacy Encryption) relied on TLS implementations that failed to respond to requests from clients with new TLS versions. They then assumed that the server did not speak TLS at all and switched to the totally obsolete and vulnerable SSLv3. Attackers simply let TLS connections crash into the wall and cheered when the client dug out SSLv3.
Heartbleed was also an implementation error. It gave attackers the ability to read 64KB of the server's RAM – multiple times in succession – thus allowing certificate keys to fall into the wrong hands. Bruce Schneier said at the time that, on a scale of 1 to 10, this was a category 11 disaster [1].
Administrators can avoid all of this pain by keeping the TLS implementations on their servers up to date. But, what if you are forced to run applications that do not even support the latest TLS versions? True to the adage of "Never change a running system," many people stubbornly stick with Apache 2.2, or other services that are of value only to archaeologists.
Catcher on the Rocks
TLS Interposer is the answer for these notorious underminers of web security. It is activated by the LD_PRELOAD
mechanism and fields API calls to the OpenSSL library. Many distributions include it in their repositories, but you can also download from GitHub [2]. After unpacking, just type
make && sudo make install
Apart from the compiler itself, you need the OpenSSL development package. This typically goes by the name libssl-dev
or something of that ilk. Once the compiler has completed its work, you should have a file named libtlsinterposer.so
.
Everything else is simple. Just make sure the service sees the LD_PRELOAD
environmental variable with the path to the libtlsinterposer.so
you just compiled. For Apache 2.2, for example, you would open /etc/apache/envvars
and add
export LD_PRELOAD=/usr/local/\ tlsinterposer/libtlsinterposer.so
After restarting the HTTP daemon, the venerable Apache then communicates with the latest TLS. You might also want to test the setup with SSLScan [3] or one of the many online services that offer a similar scan, such as the Qualys SSL Server Test [4].
Charly Kühnast
Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.
Infos
- Schneier on Security: https://www.schneier.com/blog/archives/2014/04/heartbleed.html
- TLS Interposer: https://github.com/Netfuture/tlsinterposer
- SSLScan: http://sourceforge.net/projects/sslscan/
- Qualys SSL Server Test: https://www.ssllabs.com/ssltest/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.