Category: Linux

PCI scan picking up various weak cipher suites

johniLeave a comment

The PCI scans appear to be picking up some weak cipher suites on HTTPS, POP3S, IMAPS and SMTPS. This is easily fixed with the following configuration file examples:

Apache ssl.conf (or httpd.conf ):

#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#SSLCipherSuite ALL:-ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1

If using courier for imap & pop3 the imapd-ssl and pop3d-ssl files will need updating in /etc/courier-imap, or, where ever the configuration files are.

imapd-ssl:

TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

pop3d-ssl:

TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

And if using qmail for SMTP/s you may need to create the tlsserverciphers file in /var/qmail/control/. You can do this with:

openssl ciphers > /var/qmail/control/tlsserverciphers

Then remove the ciphers that PCI are complaining about. In this case they were: EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5,EXP-RC4-MD5

Or, even better:

Directory: /etc/httpd/conf.d/
File: /etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2

Directory: /var/qmail/control/
[root@server control]# cat tlsserverciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:-SSLv2
[root@server1 control]# cat tlsclientciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-SSLv2

Directory: /etc/courier-imap
[root@server courier-imap]# grep TLS_CIPHER_LIST= *-ssl
imapd-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
pop3d-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

I tested this by removing one of the above and trying to connect:

# openssl s_client -cipher EXP-RC4-MD5 -connect localhost:smtps
CONNECTED(00000003)
25857:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:489:

Then I put it back in the list and tried again and could connect again.  Manually connections with: openssl s_client -ssl2 -connect host:port

Update 25/02/2010:

Additional URLs:

Linux Software RAID 1

johniLeave a comment

I was in the situation where the primary disk (hda) had dropped out of the RAID arrays it was in due to seek errors so needed to replace the primary disk.

URLs:

  • http://www.royong.com/showthread.php?t=16
  • http://www.linuxselfhelp.com/gnu/grub/html_chapter/grub_3.html
  • http://www.linuxquestions.org/linux/answers/Applications_GUI_Multimedia/Set_up_Grub_by_hand

Needed to install the boot loader onto the secondary disk as no doubt it hadn’t been setup.

Tried the grub-install command:

grub-install /dev/hdc

Thinking that this would do everything required I rebooted and took the primary disk out. The machie started booting up and then it kept printing to the screen “grub grub grub……”. Obviously not right so put the primary disk back in and rebooted.

This time ran the following:

grub
grub>find /grub/stage1
grub>device (hd0) /dev/hdc
grub>root (hd0,0)
grub>setup (hd0)
grub>quit

Then I rebooted and removed the primary disk… this time it booted up fine so I added the new disk.

Partition the new disk:

 fdisk -l /dev/hdc

And create the same partitions on the new machine.

sfdisk -d /dev/hdc | sfdisk /dev/hda

Or manually using fdisk.

Re-add the disks using mdadm…

mdadm /dev/md0 -a /dev/hda1
etc…