Saturday, April 12, 2014

Where did that .pod end up? (sysdig)


So I RTFM yesterday and, not having any OpenSSL muscle memory, spelled it STACKOF in my program just like in the man page. Fail.

The .pod file was easy enough to fix, but does it format properly? What happens to it and where does it go?

$ sudo sysdig evt.type=open and fd.name contains cert_chain
(wait for command in other terminal)
2901943 13:35:42.114428066 7 sh (24543) < open fd=3(/home/trawick/git/work-on-openssl-master/doc/ssl/SSL_get_peer_cert_chain.pod) name=doc/ssl/SSL_get_peer_cert_chain.pod(/home/trawick/git/work-on-openssl-master/doc/ssl/SSL_get_peer_cert_chain.pod) flags=1(O_RDONLY) mode=0 
2902384 13:35:42.117743930 7 sh (24544) < open fd=3(/home/trawick/inst/omaster/ssl/man/man3/SSL_get_peer_cert_chain.3) name=/home/trawick/inst/omaster/ssl/man/man3/SSL_get_peer_cert_chain.3 flags=262(O_TRUNC|O_CREAT|O_WRONLY) mode=0 
2906809 13:35:42.172268013 5 perl (24547) < open fd=4(/home/trawick/git/work-on-openssl-master/doc/ssl/SSL_get_peer_cert_chain.pod) name=SSL_get_peer_cert_chain.pod(/home/trawick/git/work-on-openssl-master/doc/ssl/SSL_get_peer_cert_chain.pod) flags=1(O_RDONLY) mode=0 
2907040 13:35:42.176303490 7 sh (24548) < open fd=3(/home/trawick/git/work-on-openssl-master/doc/ssl/SSL_get_peer_cert_chain.pod) name=doc/ssl/SSL_get_peer_cert_chain.pod(/home/trawick/git/work-on-openssl-master/doc/ssl/SSL_get_peer_cert_chain.pod) flags=1(O_RDONLY) mode=0
$ make install_docs
...

That's more satisfying than strace since I don't have to run make install_docs under strace and decide how to separate their outputs. Now to use sysdig as often as possible for a while so I can get used to it...

Friday, April 11, 2014

My httpd-related slides from ApacheCon NA 2014, earlier this week


http://emptyhammock.com/projects/info/slides.html

Apache HTTP Server and CVE-2014-0160, the so called Heartbleed Bug


SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1 through 1.0.1f are vulnerable to CVE-2014-0160, the so called Heartbleed Bug. (OpenSSL versions smaller than 1.0.1, such as 0.9.8 and 1.0.0, are safe.)

No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration change besides disabling SSL/TLS completely can resolve this. (SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the configuration to one or both of those protocols is not recommended because of other security concerns.) Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.

In some cases OpenSSL may be statically linked with mod_ssl. httpd and mod_ssl must be rebuilt with the updated OpenSSL when OpenSSL is statically linked with mod_ssl. Note: The build of mod_spdy may rebuild mod_ssl in this manner.

If you build OpenSSL yourself, refer to the OpenSSL project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt.

Checking for mod_ssl statically linked with OpenSSL

Linux

$ nm /path/to/httpd/modules/mod_ssl.so | grep X509_STORE_CTX_free
                 U X509_STORE_CTX_free...

The U in the output means that the relevant OpenSSL library is not statically linked with mod_ssl.

Other platforms

Similar checks for symbols work elsewhere. ldd is another way on many Unix-like platforms to determine where mod_ssl finds OpenSSL. depends can be used on Windows to see if mod_ssl.so relies on OpenSSL.

When to consult with vendors or other third parties

Contact a third-party supplier in the following situations to determine the applicability of CVE-2014-0160 to your server:

  • You obtain OpenSSL in binary form with or without Apache HTTP Server
  • You are using a commercial product based on Apache HTTP Server
  • You are otherwise using mod_ssl or a replacement for it from a third party
  • Build or installation of a third-party feature (e.g., mod_spdy) rebuilds mod_ssl

Revisions

2014-04-11
Correct the affected versions: 1.0.1 (without the a) is the earliest affected version. Mention explicitly that older versions are not affected. Suggested by Rainer Jung

Wednesday, January 22, 2014

Sorry, the application python2.7 has stopped unexpectedly.

If you notice further problems, try restarting the computer.

Title: python2.7 crashed with Exception in __init__(): invalid httpd install dir

Horse poop! Why the heck are you generating a crash report for this? Some Python code I wrote used an exception to report a setup problem.

Saturday, August 10, 2013

Incredibly cheap TN-350 replacement


The cheapest replacement is the one you already have, if you haven't used the masking tape trick yet:

Luckily this hint is easy to find in the TN-350 entry on Amazon, as the original product review referred to in the blog article is the first listed.