This site is now 100% read-only, and retired.

PCI Compliance and openssl-1.0.0c

Posted by SpiesInOrbit on Wed 9 Mar 2011 at 08:20

For some, the stable biased Debian is too conservative and apparently OpenSSL has a bug that breaks PCI compliance.

CVE-2009-1379 CVE-2010-4180 CVE-2010-4252

For e-commerce sites this can be an issue. Due to recent changes in the credit card laws all sites accepting credit cards must meet PCI compliance. Its my opinion this is a poor upgrade path for security, since truly, openssl's patch of version 0.9.8o-4 should be sufficient, rather than require a version change. Either way openssl-1.0.0c is only available through the experimental repositories.

Addition of the following source to /etc/apt/sources.list.d/openssl-1.0.0c

deb http://ftp.debian.org/debian experimental main

followed by:

apt-get update
apt-get -t experimental install openssl

This is where I thought the crisis would end...

Apparently, you have to compile openssl-1.0.0c from source and include ssl v2, because apache2 2.2.16 won't compile without it and openssl-1.0.0c excludes it by default.

cd /usr/src
apt-get source openssl=1.0.0c-2
apt-get source apache2
cd openssl-*
apt-get build-dep openssl=1.0.0c-2

Now we have to enable sslv2. I'm still learning the package manager protocol, so someone feel free to jump in here with some "best practices". Edit 'debian/rules'.

vi debian/rules

# -- change --

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl \
no-idea no-mdc2 no-rc5 zlib  enable-tlsext no-sslv2

# -- to --

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl \
no-idea no-mdc2 no-rc5 zlib  enable-tlsext

# Now we need to build the packages again.

debuild -us -uc

I advise using GNU screen here because its nice to be able to disconnect and do something else while it compiles.

Now we need to compile apache2 with the new openssl libs.

cd ../apache2-*
vi debian/rules

# -- change --

AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok \
-I/usr/include/openssl -Wall -Wformat -Wformat-security \
-D_FORTIFY_SOURCE=2 -fstack-protector

# -- to --

AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok \
-I/usr/src/openssl-1.0.0c/include/openssl -Wall -Wformat \
-Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector

Now we need to compile apache2.

apt-get build-dep apache2
debuild -us -uc

cd ..
dpkg -i apache2.2-bin_2.2.16-6_amd64.deb \
apache2.2-common_2.2.16-6_amd64.deb \
apache2-utils_2.2.16-6_amd64.deb

# for me I using prefork because of php
dpkg -i apache2-mpm-prefork_2.2.16-6_amd64.deb

This should restart apache. You can check the install with phpinfo(). Please Note, you will have to disable SSLv2 since it has weak ciphers. This can be done by adding appending '-SSLv2' to the following line in your ssl.conf.

vi /etc/apache2/mods-avaliable/ssl.conf

SSLProtocol all -SSLv2

service apache2 restart

After the restart you should be good with ssl and PCI Compliance

 

 


Re: PCI Compliance and openssl-1.0.0c
Posted by Anonymous (193.252.xx.xx) on Wed 9 Mar 2011 at 11:51
All those bugs are fixed in Debian:
security-tracker.debian.org/tracker/CVE-2010-4252
security-tracker.debian.org/tracker/CVE-2009-1379
security-tracker.debian.org/tracker/CVE-2010-4180

There is absolutely no need to use experimental! Juste use stable and stable security.

[ Parent ]

Re: PCI Compliance and openssl-1.0.0c
Posted by Anonymous (76.186.xx.xx) on Thu 10 Mar 2011 at 06:17
That's how I explained it to the auditing company. I also included a mention of the uncertainty and overhead of running a mixed system with what's considered untested software. I'm still waiting for their response. Until then, Experimental is holding the pci scanner at bay and keeping the certification image showing on the site.

[ Parent ]

Re: PCI Compliance and openssl-1.0.0c
Posted by Anonymous (62.226.xx.xx) on Fri 11 Mar 2011 at 19:44
I agree there is no need to update the version. You have to explain the situation to the auditor, then they will happily mark the result as false positive. Been there, done that ...

[ Parent ]

Re: PCI Compliance and openssl-1.0.0c
Posted by SpiesInOrbit (76.186.xx.xx) on Sat 12 Mar 2011 at 06:51
Finally got their response, and yes they're removing the false positive. Thanks "experimental" for successfully holding off the auditors and still providing error free ssl. If for only 3 days.

[ Parent ]

Re: PCI Compliance and openssl-1.0.0c
Posted by Anonymous (173.180.xx.xx) on Tue 17 Jan 2012 at 06:25
If one's reason for doing this is really PCI compliance, I'd check first that SSL v2 is compliant. It's insecure, so I doubt it, and it's not necessary for modern clients.

[ Parent ]