Syndicate
Site (RSS, Atom)
Contact
Weblog status
Total entries: 50
Last entry: 2016-10-17 22:22:03
Last updated: 2016-10-18 07:57:57
powered by vim, bash, cat, grep, sed, and nb 3.4.2

2016-10-17 22:22:03

More packages recompiled against OpenSSL 1

The tuxad repo has got some updates. Beside an updated openssl package there are other updated packages and also more RHEL packages recompiled against OpenSSL 1.0.1:

  • curl
  • dovecot
  • httpd
  • lynx
  • mutt
  • vsftpd
  • w3m
  • wget

News history tuxad repository:


Posted by Frank W. Bergmann | Permanent link | File under: rpm, yum, repository, redhat, openssl, http, apache

2016-05-28 18:51:17

RHEL 5 RPM packages with SSL enhancements

Some RPM packages of the tuxad repo got SSL improvements (compiled against openssl1 package). Most changes were done in the Apache package:

httpd-2.2.3-91.1.el5_11.rpm

  • recompiled against openssl1 package (ported from RHEL 6)
  • requires openldap-openssl1
  • use bigger DH params
  • some secure basic options for SSL_CTX_set_options() hardcoded
  • basic ECDH support
  • improved default SSLCipherSuite in ssl.conf
  • configurable DH params by SSLDhParamsFile config option
  • weekly cronjob for updating dh2048.pem

postfix-2.3.3-7.tls1.el5_11

  • bigger DH params
  • disable TLS compression and enable cipher server preference
  • basic ECDH support

dovecot-1.0.7-9.4.log.dh2

In March dovecot got basic ECDH support and support for refreshable and bigger DH params. Latest change now was disabling compression and enabling cipher server preference.

new packages

New packages are ucspi-ssl (with the same SSL improvements like the other packages) and a tiny script ssltest.sh for getting the cipher list and DH params of a server.


Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl, http, apache, smtp

2016-03-06 21:07:05

Enhanced encryption for dovecot on RHEL/CentOS 5

Red Hat's rpm package dovecot is the old version 1.0.7 which is missing modern cryptography and has (on RHEL 5) also the disadvantage that it is linked against OpenSSL 0.98.

The tuxad repo for RHEL 5 / CentOS 5 contains a patched version of Red Hat's dovecot:

  • linked against tuxad repo's openssl1 package
  • DH params increased to 2048 bits
  • enabled EC cryptography
  • refreshable /etc/dovecot.dh_params file

If you use an ssl_cipher_list like i.e.

[frankb@treferpol tuxad]$ grep ^ssl_cipher_list \
  /etc/dovecot.conf

ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256: \
  ECDHE-ECDSA-AES256-GCM-SHA384: \
  ECDHE-RSA-AES128-GCM-SHA256: \
  ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256: \
  DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256: \
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256: \
  ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256: \
  DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA: \
  ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA: \
  ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA: \
  DHE-RSA-AES256-SHA:ALL:!aNULL:!ADH:!3DES:!EXP:!RC4: \
  !kRSA:!kKRB5:!aDSS:!DES:!aPSK:!kECDH

then you will get with ssltest.sh (Download) these results:

$ SSLCipherSuite=ALL ssltest.sh 127.0.0.1 993 
Testing: 81.89.239.233 993 ALL
Testing protocols:
SSLv2: NO
SSLv3: NO
TLSv1: YES
TLSv1.1: YES
TLSv1.2: YES
Testing ciphers using protocol TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AESGCM(256) Mac=AEAD TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AES(256) Mac=SHA384 TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) \
  Mac=SHA1 TempKey: ECDH, secp521r1, 521 bits
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc= \
  AESGCM(256) Mac=AEAD TempKey: DH, 2048 bits
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) \
  Mac=SHA256 TempKey: DH, 2048 bits
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA \
  Enc=Camellia(256) Mac=SHA1 TempKey: DH, 2048 bits
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AESGCM(128) Mac=AEAD TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AES(128) Mac=SHA256 TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) \
  Mac=SHA1 TempKey: ECDH, secp521r1, 521 bits
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc= \
  AESGCM(128) Mac=AEAD TempKey: DH, 2048 bits
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) \
  Mac=SHA256 TempKey: DH, 2048 bits
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA \
  Enc=Camellia(128) Mac=SHA1 TempKey: DH, 2048 bits

Because dovecot and other daemons are excluded by default in tuxad repo to get these packages by default from Red Hat you must use this command to install tuxad dovecot:

yum install --disableexcludes=all \
  --disablerepo=* --enablerepo=tuxad dovecot

Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl

2016-03-03 18:48:03

DROWN attack: updated openssl1 packages available

DROWN is a serious vulnerability that affects many servers using SSL.

Red Hat provided an update of their RPM package of OpenSSL v. 1 for RHEL 6. The tuxad repo which contains a port of this RHEL 6 package for the older RHEL 5 / CentOS 5 has also an updated release of the package.


Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl

2015-04-26 21:00:13

tuxad yum package repository for RHEL / CentOS 5 x86_64

About

The tuxad repository contains some special packages and some "updates" for RHEL / CentOS 5.

News

The tuxad repository is now also available for x86_64 architecture.

The optional openssl1 package which provides modern ciphers and protocols for RHEL 5 was updated (based on the latest RHEL 6 package).

The openssl1-devel package got some mods to fix bugs when compiling some packages which use openssl - this enhances the compatibility with 0.98.

The list of packages available for x86_64 including some against openssl1 re-compiled RHEL server packages like Apache or postfix:

$ yum --disablerepo="*" --enablerepo="tuxad" \
      --disableexcludes=all list available
ash.x86_64                   0.3.8-20                  tuxad
cdb.x86_64                   0.75-5                    tuxad
curl.x86_64                  7.15.5-17.el5_11          tuxad
curl-devel.x86_64            7.15.5-17.el5_11          tuxad
daemontools.x86_64           0.76-15                   tuxad
djbdns.x86_64                1.05-26                   tuxad
dovecot.x86_64               1.0.7-9.el5_11.4.log      tuxad
enchant.x86_64               1:1.6.0-1                 tuxad
enchant-aspell.x86_64        1:1.6.0-1                 tuxad
enchant-devel.x86_64         1:1.6.0-1                 tuxad
enchant-voikko.x86_64        1:1.6.0-1                 tuxad
fuse-sshfs.x86_64            2.4-2                     tuxad
glib216.x86_64               2.16.6-5                  tuxad
glib216-devel.x86_64         2.16.6-5                  tuxad
heirloom-sh.x86_64           20090118-1                tuxad
hunspell.x86_64              1.2.8-15                  tuxad
hunspell-devel.x86_64        1.2.8-15                  tuxad
libmalaga.x86_64             7.12-6                    tuxad
libvoikko.noarch             2.2.2-1                   tuxad
libvoikko-devel.noarch       2.2.2-1                   tuxad
loudmouth.x86_64             20150208-1                tuxad
loudmouth-devel.x86_64       20150208-1                tuxad
malaga.x86_64                7.12-6                    tuxad
malaga-devel.x86_64          7.12-6                    tuxad
malaga-suomi-voikko.x86_64   1.4-0.3.rc3               tuxad
mcabber.x86_64               0.10.3-2                  tuxad
mcabber-devel.x86_64         0.10.3-2                  tuxad
mu-conference.x86_64         0.8-8.fwb                 tuxad
ngtx.x86_64                  20140811-1                tuxad
ngtx-monitoringfs.x86_64     20140811-1                tuxad
openssl1.x86_64              1.0.1e-30.rh5.8           tuxad
openssl1-devel.x86_64        1.0.1e-30.rh5.8           tuxad
openssl1-static.x86_64       1.0.1e-30.rh5.8           tuxad
python-libvoikko.noarch      2.2.2-1                   tuxad
rman.x86_64                  3.2-8                     tuxad
shish.x86_64                 0.7pre3-1                 tuxad
tuxad-release.noarch         5-2                       tuxad
ucspi-tcp.x86_64             0.88-27                   tuxad
voikko-tools.noarch          2.2.2-1                   tuxad
vsftpd.x86_64                2.0.5-28.el5_11           tuxad
wget.x86_64                  1.11.4-3.el5_11.2         tuxad

For security reasons some server software have been explicitely excluded in the repo file: dovecot httpd postfix vsftpd. If you actually want to use these openssl1 enabled packages then you must remove the exclude(s) or use --disableexcludes on the command line.

Install / use the custom RHEL 5 repository

Install the repository configuration and GPG key:

rpm -i http://www.tuxad.de/repo/5/tuxad.rpm

Once you have done this you might be able to install i.e. openssl1 by

yum install openssl1

The GPG key file RPM-GPG-KEY-TUXAD-A95F6F37 will be placed in /etc/pki/rpm-gpg/ and it will be automatically imported on your first "yum install" from this repo.


Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl