Upgrade/Patch Management

Concept: DO NOT roll your own Crypto! Use standard services and libraries.
It is NOT advisable in any circumstances to develop any sort of cryptography on your own. Instead, there are a few options of standard libraries that can be used. These libraries offer better stability as they are usually a product of several years of experience in implementing cryptography by an active development community who are dedicated towards efforts in implementation. It is therefore considered to be reliable and robust.

Examples: Openssl is one such library which popular and therefore is used as an example for this concept. OpenSSL is not the only available crypto library. For a list of different libraries and a comparision between them, visit here.

OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

The library includes tools for generating RSA private keys and Certificate Signing Requests (CSRs), checksums, managing certificates and performing encryption/decryption. OpenSSL is written in C, but wrappers are available for a wide variety of computer languages.

Which version of OpenSSL do I upgrade to?
OpenSSL version 1.0.1 released on March 14, 2012 was the first OpenSSL Library to support TLSv1.2. But OpenSSL does not officially support the release anymore. Version 1.0.2 (released on 22nd January, 2015) is an LTS release and is scheduled to be supported till the end of year 2019. OpenSSL defines LTS support as follows:
  • LTS releases will be supported for at least five years and we will specify one at least every four years. Non-LTS releases will be supported for at least two years.
  • During the final year of support, we do not commit to anything other than security fixes. Before that, bug and security fixes will be applied as appropriate.


These are the official list of what is included in OpenSSL version 1.0.2:

  • Suite B support for TLS 1.2 and DTLS 1.2
  • Support for DTLS 1.2
  • TLS automatic elliptic curve (EC) curve selection.
  • API to set TLS supported signature algorithms and curves
  • SSL_CONF configuration API.
  • TLS Brainpool support.
  • ALPN support.
  • CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

Note: The latest major release for OpenSSL is 1.1.1 LTS (released on 11th September, 2018).. Again, we do not stress on upgrading OpenSSL blindly without properly evaluating the products that use them (and their advisories) and the consequences of an upgrade.

Find out which openssl version you are using:

Use the version option.

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


You can get much more information with the version -a option.
$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Jul 23 19:06:35 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
          idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO
-Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
-DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic


Concept: Please be careful while upgrading your crypto library. Do not simply upgrade the package without thinking about the implications it might have on existing features of your application or operating system.

A lot of application and Operating System vendors provide specific guidelines on how to upgrade your software. These vendors perform extensive testing of new releases of libraries like OpenSSL to ensure that no existing functionality is affected. Usually, these vendors release their own updates called backported packages. The security team backports security fixes to the released code versions, so while you will not get new features you can be reasonably sure that your SSL libraries are up to date.
Here are a couple of examples for regarding upgrades to popular Operating Systems:
CentOS: https://wiki.centos.org/PackageManagement/SourceInstalls
RedHat: https://access.redhat.com/security/updates/backporting/?sc_cid=3093

Certain advisories are usually posted when vulnerabilties are found in OpenSSL library, for example:
CentOS: https://wiki.centos.org/Security/POODLE
RedHat: https://access.redhat.com/articles/1232123

Upgrade to secure SSL/TLS in Programming Languages

Concept: It is again advised to not roll out your own cryptography while developing software. There are popular libraries in almost all programming languages that can readily be used to perform cryptographic operations.

Examples:
Python
There are a lot of libraries that Python can use for SSL/TLS. Some of the notable ones include the native SSL module in Python and PyOpenSSL. Both these libraries are essentially wrappers around the OpenSSL Library found on the system where Python is installed. Some behavior may be platform dependent, since calls are made to the operating system socket APIs. The installed version of OpenSSL may also cause variations in behavior.

To check which openssl version you are using execute the following within Python:
import ssl
print ssl.OPENSSL_VERSION

ssl library

Here is a basic example of how to use Python's SSL library to perform a TLSv1.2 handshake using sockets. If you are using ssl library in your application, look for the following code block and adjust the parameters accordingly.
def handshake(sock):
# this will trigger the handshake
# if sock is already connected
new_sock = ssl.wrap_socket(sock,
        ciphers="HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5",
        ssl_version=ssl.PROTOCOL_SSLv3,
		...
		...
        )
return new_sock
For TLSv1.2, a small change in the above would be to have
ssl_version=ssl.PROTOCOL_TLSv1_2
pyopenssl library

pyOpenSSL is collaboratively developed by the Python Cryptography Authority (PyCA) that also maintains the low-level bindings called cryptography. It's a well documented wrapper around OpenSSL and supports all the features required for TLSv1.2 and more details here.

Almost everything that you would want with pyOpenSSL is on their website:
https://pyopenssl.org/en/stable/

Here are some examples of opensource code that utilizes pyOpenSSL:
HTTP Server supporting SSL: http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/
HTTP Client: http://www.de-brauwer.be/wiki/wikka.php?wakka=PyOpenSSLClient
Validating a Certificate: http://blog.san-ss.com.ar/2012/05/validating-ssl-certificate-in-python.html