By 
Fix the OpenSSL Logjam issue on UNIX systems Logjam is the name describing an attack on TLS connections using Diffie-Hellman ciphersuites (see article “Logjam, FREAK and Upcoming Changes in OpenSSL” for the details).
I was asked to write a script, which should be able to run on Linux, HP-UX and SunOS, to trace the vulnerability and fix it on the spot. It became a simple straightforward Korn shell script, which as you probably know is very portable to other UNIXes (feedback or pull request are always welcome).
The script has a basic help functionality:
#-> /home/gdhaese1/bin/fix-TLS-Logjam-vulnerability.sh -h
Usage: fix-TLS-Logjam-vulnerability.sh [-m <mail1,mail2>] [-hv]
-m: The mail recipients seperated by comma.
-h: This help message.
-v: Revision number of this script.
If you run the script on Linux and you are lacking the ksh executable then you are faced with the following error message:
#-> /home/gdhaese1/bin/fix-TLS-Logjam-vulnerability.sh
-bash: /home/gdhaese1/bin/fix-TLS-Logjam-vulnerability.sh: /usr/bin/ksh: bad interpreter: Too many levels of symbolic links
However, you can easely use the bash shell instead as you can see below:
#-> bash /home/gdhaese1/bin/fix-TLS-Logjam-vulnerability.sh
-----------------------------------------------------------------------------------------------
Script: fix-TLS-Logjam-vulnerability.sh
Executing User: root
Mail Destination:
Date: Fri Sep 11 08:32:04 EDT 2015
Log: /var/tmp/fix-TLS-Logjam-vulnerability.log
-----------------------------------------------------------------------------------------------
-> Collect all httpd related configuration files...
-> Search http configuration files containing SSLCipherSuite keyword
-> Search for +EXP vulnerability with TLS
-> None of the httpd related configuration files are vulnerable.
Here, you can see the script in action to fix some hhtpd configuration files:
#-> /home/gdhaese1/bin/fix-TLS-Logjam-vulnerability.sh
-----------------------------------------------------------------------------------------------
Script: fix-TLS-Logjam-vulnerability.sh
Executing User: root
Mail Destination:
Date: Fri Sep 11 08:39:41 EDT 2015
Log: /var/tmp/fix-TLS-Logjam-vulnerability.log
-----------------------------------------------------------------------------------------------
-> Collect all httpd related configuration files...
-> Search http configuration files containing SSLCipherSuite keyword
-> Search for +EXP vulnerability with TLS
-> Configuration file /opt/hp/hpsmh/conf/extra/httpd-ssl.conf is vulnerable for OpenSSL Logjam
-> Configuration file /opt/hp/hpsmh/conf/original/extra/httpd-ssl.conf is vulnerable for OpenSSL Logjam
-> Configuration file /opt/NAI/LinuxShield/apache/conf/httpd.conf is "not" vulnerable for OpenSSL Logjam
-> Make a backup copy of httpd configuration files
-> Backup file /opt/hp/hpsmh/conf/extra/httpd-ssl.conf.2015-09-11 created
-> Backup file /opt/hp/hpsmh/conf/original/extra/httpd-ssl.conf.2015-09-11 created
-> Disable EXP in httpd configuration files
-> Fix /opt/hp/hpsmh/conf/extra/httpd-ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-> Fix /opt/hp/hpsmh/conf/original/extra/httpd-ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-> Evidence of disabled EXP flag in /opt/hp/hpsmh/conf/extra/httpd-ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
-> Evidence of disabled EXP flag in /opt/hp/hpsmh/conf/original/extra/httpd-ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
-> Restarting httpd daemons...
Stopping hpsmhd: [ OK ]
Starting hpsmhd: [ OK ]
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
/opt/NAI/LinuxShield//apache/bin/apachectl restart: nailswebd not running, trying to start
no listening sockets available, shutting down
AH00015: Unable to open logs
/opt/NAI/LinuxShield//apache/bin/apachectl restart: nailswebd could not be started
-----------------------------------------------------------------------------------------------
Finished.
-----------------------------------------------------------------------------------------------
And, below, the script finds no httpd configuration files which are vulnerable:
#-> /home/gdhaese1/bin/fix-TLS-Logjam-vulnerability.sh
-----------------------------------------------------------------------------------------------
Script: fix-TLS-Logjam-vulnerability.sh
Executing User: root
Mail Destination:
Date: Fri Sep 11 08:47:16 EDT 2015
Log: /var/tmp/fix-TLS-Logjam-vulnerability.log
-----------------------------------------------------------------------------------------------
-> Collect all httpd related configuration files...
-> Search http configuration files containing SSLCipherSuite keyword
-> Search for +EXP vulnerability with TLS
-> Configuration file /opt/NAI/LinuxShield/apache/conf/httpd.conf is "not" vulnerable for OpenSSL Logjam
-> Configuration file /opt/hp/hpsmh/conf/original/extra/httpd-ssl.conf is "not" vulnerable for OpenSSL Logjam
-> Configuration file /opt/hp/hpsmh/conf/extra/httpd-ssl.conf is "not" vulnerable for OpenSSL Logjam
-> Make a backup copy of httpd configuration files
-> Disable EXP in httpd configuration files
-> Restarting httpd daemons...
-----------------------------------------------------------------------------------------------
Finished.
-----------------------------------------------------------------------------------------------
We hope you might find the script useful! Gratien
Related links:
Comments
comments powered by Disqus