SSL/HTTP – Securing the ODROID-XU

Ubuntu server 14.04 LTS does not get security updates to the ARM repository. Despite LTS standing for Long Term Support. Something that I did not expect.

When running webservers with SSL HTTPS on the Odroid-XU, it is vulnerable to several security issues, such as the POODLE and CCS Injection Vulnerability (CVE-2014-0224). This is solved in more recent versions of OpenSSL, but those are not available from the ARM repositories. To solve this OpenSSL can be build from source. CVE2014-0224 is solved from OpenSSL 1.0.1h, and POODLE from 1.0.1j. Generally it is best to install the most recent version of OpenSSL. The following steps describe how to get the job done. This is assuming the build is performed as the root user. Otherwise sudo may need to be added before the make install and cp and ln commands:

#update openssl to fix various SSL vulnerabilities
wget https://www.openssl.org/source/openssl-1.0.1m.tar.gz
tar xzvf openssl-1.0.1m.tar.gz
cd openssl-1.0.1m
./config --prefix=/usr/ --openssldir=/etc/ssl shared
make #make -j5 fails!
make install

cp -a /lib/arm-linux-gnueabihf/libssl.so.1.0.0 /lib/arm-linux-gnueabihf/libssl.so.1.0.0.backup
cp -a /lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 /lib/arm-linux-gnueabihf/libcrypto.so.1.0.0.backup
ln -sf /usr/lib/libssl.so.1.0.0 /lib/arm-linux-gnueabihf/libssl.so.1.0.0
ln -sf /usr/lib/libcrypto.so.1.0.0 /lib/arm-linux-gnueabihf/libcrypto.so.1.0.0

Then to check whether the build succeeded, extended version information can be retrieved.


openssl version -a
#shows:
OpenSSL 1.0.1m 19 Mar 2015
built on: Mon Apr 20 09:40:50 2015
platform: linux-armv4
....
OPENSSLDIR: "/etc/ssl"

For Apache webservers we are done now, It can be tested with the site: www.ssllabs.com.

In the unlikely case one is running a Python webserver, also python needs to be updated. Luckily is is easy to build python from source, and instructions are very clear. For Python 2.7, see: https://docs.python.org/2/using/unix.html
In the case of the Odroid-XU, Python needs to be upgraded from version 2.7.6 to at least 2.7.9. The following steps build version 2.7.10, as user root:

#build python 2.7.x
#See https://docs.python.org/2/using/unix.html
#login as root
cd builds
wget https://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz
tar xzvf Python-2.7.10.tgz
cd Python-2.7.10
./configure
make
make altinstall

Here I have choosen to use make altinstall. This builds the python2.7 binary, but leaves the python binary untouched. Test the versions with:

python -V
#shows: Python 2.7.6
python2.7 -V
#shows: Python 2.7.10

The webserver now needs to be started with python2.7, in stead of python.
A make install will also replace the python binary. It probably is OK to do so, but I did not test this yet.

One thought to “SSL/HTTP – Securing the ODROID-XU”

Leave a Reply

Your email address will not be published. Required fields are marked *