EeeUser Eee PC Wiki

User Tools

Site Tools

Trace: OpenSSL Security Fix
howto:opensslescurityfix

Table of Contents

OpenSSL Security Fix

Oops, Debian accidently introduced an error into the openssl library best described here. Thus, you're very much at risk if you've installed the openssh server.

Testing your current keys

The good folks at Debian have a tool to help you identify weak keys:

http://wiki.debian.org/SSLkeys

Testing your keys is done with the dowkd.pl program as shown in examples later.

Installing new Packages

To save you the time, effort and pain, I've posted patched versions of libssl and openssh:

ftp://lispnyc.org/other-communities/asus-eee/libssl0.9.8_0.9.8c-4etch3_i386.deb ftp://lispnyc.org/other-communities/asus-eee/openssl_0.9.8c-4etch3_i386.deb

Installing them is as easy as downloading, then: 

sudo dpkg -i libssl0.9.8_0.9.8c-4etch3_i386.deb openssl_0.9.8c-4etch3_i386.deb

Securing your EEE

Once you've installed the newly patched packages, you now need to do several things:

  • Regenerate the host keys to your EEE
  • Regenerate your user keys on your EEE
  • Remove all weak keys from your EEE
  • Remove all weak keys from every host with passwordless ssh

Regenerate EEE Host Keys

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

Regenerate EEE User Keys

todo

Removing Weak Keys

todo

Building libssl and openssh Yourself

As discussed here…

http://forum.eeeuser.com/viewtopic.php?pid=380726#p380726

Install required packages: 

apt-get install \
  html2text \
  intltool-debian \
  po-debconf \
  debhelper \
  fakeroot

Download and unzip the source (it's huge): 

wget http://source.rfc822.org/pub/mirror/asus.com/pub/ASUS/EeePC/701/EeePC701_071012.zip.content/2007-10-12-build.zip.zip
unzip 2007-10-12-build.zip.zip
cd 2007-10-12-build.zip/pool/
tar -zxvf openssl_0.9.8c.orig.tar.gz
# cd openssl-0.9.8c

Edit openssl_0.9.8c-4.diff, swap two lines so the MD_Update function is outside the comments, thus enabling it. The part of the file should look like this: 

+/*		
+ * Don't add uninitialised data.
+*/
              MD_Update(&m,buf,j);

Edit debian/patch file so zlib is disabled. Change the CONFARGS line to read as follows: 

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 no-zlib

Patch and build: 

patch -p0 <openssl_0.9.8c-4.diff
cd openssl-0.9.8c/
chmod +x debian/rules
fakeroot debian/rules binary

…the building should take a long time. When it's over, you should have the libssl and openssl debs in the directory above: 

libssl0.9.8_0.9.8c-4etch3_i386.deb
openssl_0.9.8c-4etch3_i386.deb
howto/opensslescurityfix.txt · Last modified: 2008/09/15 18:32 by hugh

Page Tools

Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki