The sys admin's daily grind: TLS Interposer

Rescuer at Hand

Article from Issue 179/2015

Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.

The Poodle attack (Padding Oracle On Downgraded Legacy Encryption) relied on TLS implementations that failed to respond to requests from clients with new TLS versions. They then assumed that the server did not speak TLS at all and switched to the totally obsolete and vulnerable SSLv3. Attackers simply let TLS connections crash into the wall and cheered when the client dug out SSLv3.

Heartbleed was also an implementation error. It gave attackers the ability to read 64KB of the server's RAM – multiple times in succession – thus allowing certificate keys to fall into the wrong hands. Bruce Schneier said at the time that, on a scale of 1 to 10, this was a category 11 disaster [1].

Administrators can avoid all of this pain by keeping the TLS implementations on their servers up to date. But, what if you are forced to run applications that do not even support the latest TLS versions? True to the adage of "Never change a running system," many people stubbornly stick with Apache 2.2, or other services that are of value only to archaeologists.

Catcher on the Rocks

TLS Interposer is the answer for these notorious underminers of web security. It is activated by the LD_PRELOAD mechanism and fields API calls to the OpenSSL library. Many distributions include it in their repositories, but you can also download from GitHub [2]. After unpacking, just type

make && sudo make install

Apart from the compiler itself, you need the OpenSSL development package. This typically goes by the name libssl-dev or something of that ilk. Once the compiler has completed its work, you should have a file named

Everything else is simple. Just make sure the service sees the LD_PRELOAD environmental variable with the path to the you just compiled. For Apache 2.2, for example, you would open /etc/apache/envvars and add

export LD_PRELOAD=/usr/local/\

After restarting the HTTP daemon, the venerable Apache then communicates with the latest TLS. You might also want to test the setup with SSLScan [3] or one of the many online services that offer a similar scan, such as the Qualys SSL Server Test [4].

Charly Kühnast

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: SSLScan

    If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.

  • Charly's Column: Trickle

    If your data traffic suffers from congestion at times, don't worry. Now you can shoot down programs that are heavy on traffic to free up the inflow and outflow.

  • Charly's Column: Snoopy

    Sometimes sys admin Charly needs to know when exactly he did something ingenious on one of his servers. Finding an infallible memory aid is difficult, you might think. "Peanuts!" says Charly.

  • Charly's Column: Miniflux

    Sys admin Charly Kühnast typically follows 40 to 50 RSS feeds using Tiny Tiny RSS on his own server. Now, the good times spent with the faithful Tiny are coming to an end. Read on to discover the whole story.

  • Charly's Column

    Parallel SSH is the name of an easy-to-configure tool that our resident sys admin, Charly, now routinely deploys whenever he needs to launch the same programs, copy the same files, or kill the same processes simultaneously on multiple computers.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95