Secure TLS for all services

TLS Interposer Logo

Source: netfuture.ch

At the latest since “Heartbleed” and “Poodle” it should be clear that using SSL/TLS does not automatically mean “secure”. A secure encryption of services requires up-to-date SSL libraries (for example a current version of OpenSSL without the “Heartbleed” bug) as well as a secure configuration of the respective software (Apache, Dovecot, Postfix etc.).

“Poodle” has shown that SSL 3 can not be considered secure any longer and that you should use at least TLS 1.0 or better 1.1 oder 1.2. Also the choice of the cipher suites is important for security. Not every cipher suite allows forward secrecy (which means you can not decrypt recorded data later) and some of them are generally not secure any longer and should therefore not be used any more.

For the most web servers as for example Apache or Nginx it is quite easy to customize the configuration to achieve this. However, often there are additional services in use like a mail server (Dovecot, Postfix) or as in my case a XMPP/Jabber server based on ejabberd. Not every service allows the customization of the SSL/TLS configuration. Sometimes this is not possible in the used version but upgrading to a newer version is not possible for several reasons.

A solution for such cases is “TLS Interposer”. This is a library for Linux (the source is also available on Github) which replaces calls of the  OpenSSL library by an aditional layer and therefore allows a secure configuration even if the service itself does not support that.

Installation

The installation is very easy using the sources in Github, for example in Ubuntu Linux (you may have to set up a Git client first with sudo apt-get install git):

git clone https://github.com/Netfuture/tlsinterposer
cd tlsinterposer
sudo make install

After this the library is available as /usr/local/lib/libtlsinterposer.so and can be integrated in particular servers using the environment Variable LD_PRELOAD if needed. For the affected services you can also adjust the list of cipher suites used with the environment variable TLS_INTERPOSER_CIPHERS.

Example: ejabberd

On the website of the creator you find several examples for the practical use.  I tried that with my XMPP server – ejabberd – which does not allow to customize the SSL/TLS configuration in the version I use.

Before using “TLS Interposer”, ejabberd did not support cipher suites for forward secrecy and also still used the insecure cipher suite DES-CBC3-SHA. Besides that SSL 3 was also still in use.

ejabberd cipher suites without “TLS Interposer”

After integrating “TLS Interposer” according the guide it looks much better.

In particular the following lines were added at the end of /etc/default/ejabberd:

export LD_PRELOAD=/usr/local/lib/libtlsinterposer.so
export TLS_INTERPOSER_CIPHERS='EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH$

Now at least TLS 1.0 is required and only cipher suites supporting forward secrecy are used except RC4-SHA, which was left active since some older clients don’t support the DHE und ECDHE suites:

ejabberd cipher suites with “TLS Interposer”

Leave a Comment

Your email address will not be published. Required fields are marked *