SUSE Linux Enterprise Server 11

Security Module in SUSE Linux Enterprise 11

Build TLS 1.2 Compliant Infrastructures

For some time now, governmental agencies around the world, such as the United States National Institute of Standards and Technology (NIST) (NIST SP 800-52 Rev.1) and the German Bundesamt für Sicherheit in der Informationstechnik (BSI) (BSI TR-02102-2) have issued guidance to use Version 1.2 of the Transport Layer Security (TLS) cryptographic protocol as a minimum standard for encryption.

This is primarily important for HTTPS encryption of Web traffic, although other use cases, such as e-mail, are affected as well.

Allowing SUSE's customers to follow this guidance without affecting the stability and usability of their systems is challenging. In this paper we provide some background to illustrate those challenges and then show how they have been addressed.

Author: Mark Post, Software Engineer Consultant, SUSE
Publication Date: March 21, 2017

1 Background

As the name indicates, SUSE Linux Enterprise is intended for use by enterprises. One of the main attributes valued by enterprises in software is stability. SUSE achieves this in a number of ways, one of which is to not change versions of its software packages unless there is no other alternative. When SUSE Linux Enterprise 11 became generally available in 2009, OpenSSL 0.9.8 was the package included to provide encryption for the various other software that used it.

It was when the requirement for TLS 1.2 came along that a conflict arose between that need and the goal of maintaining the same software versions, and hence stability. OpenSSL version 0.9.8 simply did not provide an implementation of TLS 1.1 or 1.2 and never would provide it.

In order to provide TLS 1.2 with OpenSSL, SUSE would have to provide version 1.0 or higher. Such an update to a more recent OpenSSL version would have been nearly impossible, as OpenSSL is notoriously incompatible with itself when moving between versions. An OpenSSL version upgrade would trigger a rebuild of a significant number of other packages in SUSE Linux Enterprise 11. Subsequently this would require a high number of updates to be installed on all our customers' production systems. Worse, a version upgrade would break third party applications. This was considered unacceptable, so another approach was taken.

Fortunately, there are cryptographic libraries other than OpenSSL. Amongst those it was decided that Mozilla's Network Security Services (NSS) would be the best option:

  • The library is stable and proven to work, as it provides HTTPS support (including TLS) for the Firefox Web browser.

  • An Apache module already exists, which is derived from mod_ssl and thus easy to use for administrators used to mod_ssl.

  • The NSS library is already part of SUSE Linux Enterprise 11, and support for TLS 1.2 can be provided easily with full backward compatibility.

In late November of 2013, SUSE shipped updated versions of libfreebl3, libsoftokn3, mozilla-nspr, and mozilla-nss, along with a new package apache2-mod_nss in the maintenance channels for SUSE Linux Enterprise 11 Service Pack (SP) 2 and SP3. While this took care of the Web server and Web browser cases, it did not do the same for other network services such as e-mail or tools such as wget and curl.

2 More Challenges

The e-mail server that is included with SUSE Linux Enterprise, Postfix, does not work with NSS, only with OpenSSL. Simply shipping both OpenSSL 0.9.8 and OpenSSL 1.0 was not an option because it was all too likely that customers would install both versions of OpenSSL on their systems. Because of the incompatibilities discussed earlier, this would almost certainly have led to all sorts of application crashes.

The lack of SUSE provided packages built against OpenSSL 1.0 lead to some customers attempting to recompile them from source, with mixed success. Worse, the recompiled packages were not supported by SUSE and could affect the supportability for the entire system. Further, customers would need some way of rebuilding their in-house written applications against OpenSSL 1.0 to be compliant. Clearly something more was needed.

3 Round Two

In August of 2014, SUSE released the SUSE Linux Enterprise 11 Security Module, providing enhancements to SUSE Linux Enterprise 11 SP3, and later SP4. Available to all customers with a SUSE Linux Enterprise Server subscription, this allows customers and partners to build TLS 1.2 compliant infrastructures beyond the HTTPS protocol. The packages in the Security Module will be supported in the same way and for the same period of time as the other packages shipped with SUSE Linux Enterprise 11 (see https://www.suse.com/lifecycle/).

In this context the term module can be somewhat confusing but it comes from the optional modules that were introduced with SUSE Linux Enterprise 12 (see https://www.suse.com/products/server/features/modules.html). Essentially the Security Module is an additional package and maintenance repository for use by YaST or Zypper. There are no DVDs to order or ISO images to download. At this time, there are a total of 31 packages available in the Security Module:

curl-openssl1
cyrus-sasl-openssl1
cyrus-sasl-openssl1-32bit
cyrus-sasl-openssl1-crammd5
cyrus-sasl-openssl1-digestmd5
cyrus-sasl-openssl1-gssapi
cyrus-sasl-openssl1-ntlm
cyrus-sasl-openssl1-otp
cyrus-sasl-openssl1-plain
libcurl4-openssl1
libcurl4-openssl1-32bit
libldap-openssl1-2_4-2
libldap-openssl1-2_4-2-32bit
libopenssl1_0_0
libopenssl1_0_0-32bit
libopenssl1-devel
openldap2-client-openssl1
openssh-openssl1
openssh-openssl1-helpers
openssl1
openssl1-doc
openvpn-openssl1
openvpn-openssl1-down-root-plugin
perl-Crypt-SSLeay-openssl1
perl-Net-SSLeay-openssl1
postfix-openssl1
postfix-openssl1-devel
postfix-openssl1-doc
postfix-openssl1-mysql
postfix-openssl1-postgresql
stunnel
wget-openssl1openssh-openssl1-helpers

As you can see there are packages containing executables, runtime libraries, and development files. They are also named to be easily distinguishable from the versions built against OpenSSL 0.9.8. With a few exceptions, the OpenSSL 1.0 packages may be installed concurrently with the versions using OpenSSL 0.9.8. Those exceptions that may not be installed concurrently are:

  • libopenssl1-devel

  • openssh-openssl1

  • openssl1-doc

  • perl-Crypt-SSLeay-openssl1

  • perl-Net-SSLeay-openssl1

  • postfix-openssl1

  • postfix-openssl1-devel

For the OpenSSH and Postfix packages, it does not make sense to have more than one version installed since they provide a service for the entire system, not just for one user or application. For the Perl and -devel packages a conflict is unavoidable as the header and .so files are in the same locations. This means that only the OpenSSL 0.9.8 or the OpenSSL 1.0 version of these packages may be installed on a given system at one time.

4 Getting the Software

Since all the packages reside in a single repository or maintenance channel, there are just two major steps that need to be taken first:

  1. Verify or get access to the Security Module. See Appendix A for the gory details.

  2. Install the packages you need using either YaST (yast sw_single) or the zypper install command, for example

    zypper in curl-openssl1 wget-openssl1

    Both YaST and Zypper will automatically determine if any other packages are needed to satisfy dependencies. In any case you will be prompted to confirm the installation.

Note
Note: No Automatic Change to OpenSSL 1

Note that adding this channel or installing the SUSE provided packages does not automatically change any other existing applications to use OpenSSL 1. Unless ported or rebuilt by the vendor they will still use the OpenSSL 0.9.8 libraries. For C or C++ applications developed in-house you will need to build OpenSSL 1 versions as described in the section on how to use the development packages.

5 Using the Packages

5.1 The Interactive Packages

5.1.1 curl-openssl1 and wget-openssl1

If you have chosen to install the curl-openssl1 or wget-openssl1 packages, you now have a choice as to which one should be the system-wide default when someone simply enters the curl command or wget command. Setting or changing this is accomplished through the use of the SUSE alternatives system (see man 8 update-alternatives for more information). We will be using the curl package for our examples, but as you would expect, the same can and should be done for the wget package.

To see which version of curl is the system default, enter the following command:

update-alternatives --display curl

You should see output similar to this:

# update-alternatives --display curl
curl - status is auto.
 link currently points to /usr/bin/curl.openssl1
/usr/bin/curl.openssl0 - priority 15
/usr/bin/curl.openssl1 - priority 20
Current 'best' version is /usr/bin/curl.openssl1.

If this is not the state you want, you can change it using the update-alternatives --set command:

update-alternatives --set curl /usr/bin/curl.openssl0
Using '/usr/bin/curl.openssl0' to provide 'curl'.

You can then reissue the command with --display:

# update-alternatives --display curl
curl - status is manual.
 link currently points to /usr/bin/curl.openssl0
/usr/bin/curl.openssl0 - priority 15
/usr/bin/curl.openssl1 - priority 20
Current 'best' version is /usr/bin/curl.openssl1.
Note
Note: Status Change

Note that besides the link being updated, the status of it has been changed from auto to manual. That means that the curl.openssl0 command will remain the default until someone with root user authority issues another update-alternatives --set curl or update-alternatives --auto curl command.

Individual users will need to use shell aliases or fully qualified paths to the appropriate command if they want something other than the system default.

5.1.2 openssl1

The openssl package contains two commands that might be of interest to users or system administrators, c_rehash and openssl. The openssl1 package has renamed those two commands to c_rehash1 and openssl1. Anyone who wants to be sure they are executing the OpenSSL 1 versions must use the new names explicitly. Note that the c_rehash1 command can generate signatures for both OpenSSL 0.9.8 and OpenSSL 1, but thec_rehash command cannot.

5.1.3 libldap-openssl1

The libldap-openssl1 package contains commands such as ldapadd, ldapsearch, etc. They are located in /opt/suse/bin so they will not be used by default. If you want to execute them by default you can either specify the fully qualified path to the commands, modify your PATH environment variable to contain /opt/suse/bin before /usr/bin, or create aliases that point to the newer version.

Some consideration is being given to modifying this package to use the same update-alternatives method as the curl and wget packages. If and when that happens, the commands in /opt/suse/bin will be moved into a different package, most likely named openldap2-client-openssl1. This will make the contents and naming similar to what is being done now for the OpenSSL 0.9.8 package, openldap2-client.

5.1.4 openssh-openssl1 and postfix-openssl1

The OpenSSH and Postfix packages contain both client and server/admin components. Since only one version can be installed at a time, by definition users will not have a choice as to which version they execute.

5.2 The Server Packages

For OpenSSH and Postfix, the post installation scripts that are executed by RPM should set up everything needed in the configuration files and then restart the services. If the services were not running at the time the packages were installed, they will not be started automatically. To ensure they are running check their status:

service sshd status
service postfix status

If either or both are not running, start them:

service sshd start
service postfix start

From this point on, there should be no differences from how the services were managed previously.

5.3 The Development Packages

The two development packages will only be of interest to customers that are doing in-house development of C or C++ software that uses these libraries. And they are relevant for customers that are installing vendor packages that require all or part of their source code to be compiled and linked to these libraries. If the corresponding -devel packages from OpenSSL 0.9.8 were never installed on a particular system, there should be no need to install the OpenSSL 1.0 versions either.

Because only one set of the development packages can be installed at any one time, it is cumbersome to try to do development against both versions on the same system. Switching between the two will require uninstalling one version and reinstalling the other, as needed.

Depending on what libraries your OpenSSL 1 application requires, you might need to also install one or all of the following packages:

  • libldap-openssl1-2_4-2

  • cyrus-sasl-openssl1

  • libcurl4-openssl1

  • cyrus-sasl-openssl1-plain

  • cyrus-sasl-openssl1-gssapi

  • cyrus-sasl-openssl1-digestmd5

If your application does not require them, then they will only be installed if needed by other packages such postfix-openssl1, etc.

These OpenSSL 1 libraries are located in /opt/suse/lib64 or /opt/suse/lib on 32-bit systems. This allows them to be installed concurrently with the OpenSSL 0.9.8 versions. Because they have exactly the same file names as the OpenSSL 0.9.8 libraries in /usr/lib64 and /usr/lib, it is important to make sure that your software build processes are referencing the correct versions.

The way to accomplish this is by telling the compiler/linker where to find the desired version. So, when compiling and linking software against OpenSSL 1, pass the following parameters to the gcc command:

-Wl,-rpath,/opt/suse/lib64

or on 32-bit systems:

-Wl,-rpath,/opt/suse/lib

This causes both the application and libraries that are built to look for the libraries in /opt/suse/lib64 or /opt/suse/lib first, and in the regular system locations later.

This can most reliably be done by updating whatever make file is being used to build the software. Note that this must be done for any libraries being built, as well as binary executables. Having a library pointing to the wrong version will be just as wrong as having the program being executed pointing to the wrong version.

When compiling and linking against OpenSSL 0.9.8, you have a choice; either leave the -Wl,-rpath out entirely, or point to /usr/lib64 or on 32-bit systems /usr/lib.

To confirm if your software has been built correctly, execute the following command against it:

readelf ­a /path/to/your/binaryorlibrary | grep RUNPATH

You should see something similar to this example:

readelf -a /usr/lib/postfix/smtp | grep RUNPATH
0x000000000000001d (RUNPATH)            Library runpath: [/opt/suse/lib64]

To confirm if your application is not referencing any of the OpenSSL 0.9.8 libraries, use the /usr/bin/ldd command as in this example:

ldd /usr/lib/postfix/smtp | grep /libssl.so.0
ldd /usr/lib/postfix/smtp | grep /libcrypto.so.0

You should not see any output from either of those commands when run against your application files. If you do, it means that your application was linked against the wrong version of OpenSSL and you need to re-examine your build processes.

6 Appendix A

6.1 Checking if the Security Module Repository Is Already Defined

Issue the following command as the root user:

zypper repos | grep Security

If the repository is defined, you should see something similar to this:

17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | No | Yes

If it is defined, skip to the section on enabling the Security Module Repository. If the repository is not defined, proceed with the following section on registering your system.

Note
Note: Usage of YaST

Note that all of this work can be done via YaST (yast repositories) as well.

6.2 Registering the System

If your initial command

zypper repos | grep Security

showed nothing in response, then you will need to register, or re-register, your system with the Novell Customer Center or your own local Subscription Management Tool (SMT) server. This can be accomplished via YaST (yast inst_suse_register) or the suse_register command. System administrators that are not already familiar with suse_register should use YaST to register the system.

Note
Note: YaST Registration

For more information about suse_register, search the relevant documentation. If your are not yet familiar with suse_register, it is highly recommended to use YaST.

When the system has been registered, you should be able to see the Security Module repository as already discussed. If you do not, contact the Customer Resolution Team for assistance.

In EMEA: <>

In all other countries: <>

6.3 Enabling the Security Module Repository

When the Security Module is defined, then all you need to do is enable it and enable automatic refreshes. Reissue the following command as the root user:

zypper repos | grep Security

The fourth column is now the one of particular interest. It shows whether the repository is enabled or not. That is, whether YaST or Zypper should look at this repository to satisfy requests or not.

17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | No | Yes

Our example shows that it is not enabled, so we must change that. The easiest way is by using the zypper modifyrepo command with the repository ID shown in column 1. In our example that is 17:

zypper modifyrepo -e 17

Substitute whatever repository ID that Zypper shows on your system for the 17 we have used in our example. You should see a message like this:

Repository 'nu_novell_com:SLE11-Security-Module' has been successfully enabled.

To verify, reissue the zypper repos command:

zypper repos | grep Security
17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | Yes | Yes

6.4 Enabling Automatic Refreshes

The last column in the display shows whether Zypper will automatically refresh the status of the repository or not. Ensuring that this is set to Yes is important so that any new or updated packages in the Security Module will show up as available updates.

17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | Yes | Yes

Our example shows that it is enabled. If yours is not then issue the following command:

zypper modifyrepo -r 17

Again, substitute whatever repository ID that Zypper shows on your system. If you then display your repositories again you should see a Yes in the last column, and you have completed this task.

7 More Information

More information about the Security Module and its background can be found here:

Print this page