The sys admin's daily grind: TLS Interposer
Rescuer at Hand
Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.
The Poodle attack (Padding Oracle On Downgraded Legacy Encryption) relied on TLS implementations that failed to respond to requests from clients with new TLS versions. They then assumed that the server did not speak TLS at all and switched to the totally obsolete and vulnerable SSLv3. Attackers simply let TLS connections crash into the wall and cheered when the client dug out SSLv3.
Heartbleed was also an implementation error. It gave attackers the ability to read 64KB of the server's RAM – multiple times in succession – thus allowing certificate keys to fall into the wrong hands. Bruce Schneier said at the time that, on a scale of 1 to 10, this was a category 11 disaster [1].
Administrators can avoid all of this pain by keeping the TLS implementations on their servers up to date. But, what if you are forced to run applications that do not even support the latest TLS versions? True to the adage of "Never change a running system," many people stubbornly stick with Apache 2.2, or other services that are of value only to archaeologists.
Catcher on the Rocks
TLS Interposer is the answer for these notorious underminers of web security. It is activated by the LD_PRELOAD
mechanism and fields API calls to the OpenSSL library. Many distributions include it in their repositories, but you can also download from GitHub [2]. After unpacking, just type
make && sudo make install
Apart from the compiler itself, you need the OpenSSL development package. This typically goes by the name libssl-dev
or something of that ilk. Once the compiler has completed its work, you should have a file named libtlsinterposer.so
.
Everything else is simple. Just make sure the service sees the LD_PRELOAD
environmental variable with the path to the libtlsinterposer.so
you just compiled. For Apache 2.2, for example, you would open /etc/apache/envvars
and add
export LD_PRELOAD=/usr/local/\ tlsinterposer/libtlsinterposer.so
After restarting the HTTP daemon, the venerable Apache then communicates with the latest TLS. You might also want to test the setup with SSLScan [3] or one of the many online services that offer a similar scan, such as the Qualys SSL Server Test [4].
Charly Kühnast
Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.
Infos
- Schneier on Security: https://www.schneier.com/blog/archives/2014/04/heartbleed.html
- TLS Interposer: https://github.com/Netfuture/tlsinterposer
- SSLScan: http://sourceforge.net/projects/sslscan/
- Qualys SSL Server Test: https://www.ssllabs.com/ssltest/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.