Monday, 12 March 2012

Fun with TLSv1.1 and TLSv1.2

Over a half a year ago there was a big fuss over the BEAST attack method against SSLv3/TLSv1, since then ... basically nothing changed :D. As far as I know Opera is only browser supporting better/newer TLSv1.1 and TLSv1.2 - IE on Win7 and Win2008 Server supposedly also supports those protocols, will check at work and write when I can.

OpenSSL (CVS changes log) with version 1.0.1 will introduce support for improved TLS, GnuTLS had it for few years now.

Here are few "simple" steps to install and play around with the latest software without interfering in system.
I'm doing everything in /tmp dir since it's running on tmpfs (ramdisk). Zlib is used to present a fun way to use env and LD_LIBRARY_PATH, and maybe for those interested with really old systems.

1. Downloading sources
mkdir /tmp/src /tmp/opt
cd /tmp/src

wget http://zlib.net/zlib-1.2.6.tar.gz
aria2c http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.15.tar.xz
curl -O ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20120311.tar.gz

tar xzf zlib-1.2.6.tar.gz
tar xJf gnutls-3.0.15.tar.xz
tar xzf openssl-1.0.1-stable-SNAP-20120311.tar.gz
Hint : tar xjf some.tar.bz2 for bz2 compressed tars.

2. Compiling zlib
cd zlib-1.2.6
./configure --prefix=/tmp/opt/zlib --64
make && make install

3. Compiling openssl
cd ../openssl-1.0.1-stable-SNAP-20120311
./config --prefix=/tmp/opt/ssl --with-zlib-lib=/tmp/opt/zlib/lib --with-zlib-include=/tmp/opt/zlib/include zlib threads shared
env LD_LIBRARY_PATH=/tmp/opt/zlib/lib make && make install

4. Compiling gnutls
cd ../gnutls-3.0.15
./configure --prefix=/tmp/opt/tls --with-libz-prefix=/tmp/opt/zlib --disable-openssl-compatibility
env LD_LIBRARY_PATH=/tmp/opt/zlib/lib make && make install

Sure, you could create my.conf in /etc/ld.so.conf.d/ containing path /tmp/opt/zlib/lib and run ldconfig, but this way may cause a problem.
# ldd /tmp/opt/ssl/lib/libcrypto.so.1.0.0
 linux-vdso.so.1 =>  (0x00007ffff2da8000)
 libdl.so.2 => /lib/libdl.so.2 (0x00007f9a81116000)
 libz.so.1 => /usr/lib/libz.so.1 (0x00007f9a80f00000)
 libc.so.6 => /lib/libc.so.6 (0x00007f9a80b5e000)
 /lib/ld-linux-x86-64.so.2 (0x00007f9a81711000)

# env LD_LIBRARY_PATH=/tmp/opt/zlib/lib  ldd /tmp/opt/ssl/lib/libcrypto.so.1.0.0
 linux-vdso.so.1 =>  (0x00007fffe35ff000)
 libdl.so.2 => /lib/libdl.so.2 (0x00007f062222c000)
 libz.so.1 => /tmp/opt/zlib/lib/libz.so.1 (0x00007f0622016000)
 libc.so.6 => /lib/libc.so.6 (0x00007f0621c74000)
 /lib/ld-linux-x86-64.so.2 (0x00007f0622827000)

Depending on content /etc/ld.so.conf custom confs from /etc/ld.so.conf.d/ may be used prior or after paths with standard system libraries. This means either every binary linked against libz.so.1 will use system library or that build in /tmp/opt/zlib/lib (apps I just compiled would use /usr/lib/libz.so.1, or everything would use my libz) - and I didn't want that.

5. We will need keys/certs
export  LD_LIBRARY_PATH=/tmp/opt/zlib/lib
cd  /tmp/opt
ssl/bin/openssl req -new -nodes -out req.pem -keyout key.pem
ssl/bin/openssl  rsa -in key.pem -out new.key.pem
ssl/bin/openssl  x509 -in req.pem -out server.pem -req -signkey new.key.pem -days 3650

Remember that export variable=value expires after login out or exiting mc if you're using Ctrl+o.

6. Run gnutls as a simple http server
env LD_LIBRARY_PATH=/tmp/opt/zlib/lib  tls/bin/gnutls-serv -p 443 --http -g --x509certfile=server.pem --x509keyfile=key.pem
Ctrl+C to exit.

In Opera : Tools > Preferences > Advanced > Security > Security Protocols ... - leave only [Enable TLS 1.2] checked (1.1). You have to close and open Opera anew for the changes to take effect. Now open https://localhost/ - you have to [Approve] the Security Issue.

7. Run openssl as a simple http server
You can force TLS version by using -tls1_2, -tls1_1, -tls1 or disable like this -no_tls1_2 - you can have all {Security Protocols} in Opera enabled.
cd /tmp/opt
env LD_LIBRARY_PATH=/tmp/opt/zlib/lib  ssl/bin/openssl s_server -accept 443 -key new.key.pem  -tls1_2 -www
Ctrl+C to exit.

Well that was fun, right ;]. More fun with LD_LIBRARY_PATH soon.

No comments:

Post a Comment