Skip to content

Instantly share code, notes, and snippets.

@dividedmind

dividedmind/logjam-fix.sh

Last active August 29, 2015 14:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dividedmind/aa32c62508ceefb8186e to your computer and use it in GitHub Desktop.
Save dividedmind/aa32c62508ceefb8186e to your computer and use it in GitHub Desktop.
Download ZIP
Logjam hotfix for older Conjur servers
Raw
logjam-fix.sh
#!/bin/bash -e
#
# Conjur servers older than v4.4.1 might be susceptible to Logjam attack
# (see weakdh.org for details). While the feasibility of such an attack is
# partly mitigated by network architectures Conjur is typically deployed into,
# the following script allows patching older appliances without upgrading to
# the new version.
#
# To apply the hotfix use `logjam-fix.sh apply`:
# $ wget https://gist.githubusercontent.com/dividedmind/aa32c62508ceefb8186e/raw/logjam-fix.sh
# $ chmod +x logjam-fix.sh
# $ sudo ./logjam-fix.sh detect
# $ sudo ./logjam-fix.sh apply
#
# Note this should be done on every server, whether master, follower or
# standby.
#
# Author: Rafal Rzepecki <rafal@conjur.net>
# This script is public domain.
DHPARAM=/etc/ssl/dhparam.pem
NGINXCONF=/etc/nginx/sites-available/conjur
NGINXCONF_BACKUP=$NGINXCONF.logjam.orig
detect() {
if [ -f $DHPARAM ]; then
echo $DHPARAM found.
DHPARAM_PRESENT=true
fi
case `grep -q $DHPARAM $NGINXCONF ; echo $?` in
0)
echo Nginx configuration looks ok.
DHPARAM_USED=true
;;
1)
;;
*)
exit $?
esac
if [ -f $NGINXCONF_BACKUP ]; then
BACKUP_PRESENT=true
fi
}
case $1 in
detect)
detect
if [ -z "$DHPARAM_PRESENT" ]; then
echo $DHPARAM not present. Use \`$0 apply\` to generate.
exit 1
fi
if [ -z "$DHPARAM_USED" ]; then
echo $DHPARAM not used in nginx configuration. Use \`$0 apply\` to fix.
exit 1
fi
echo Your system is safe!
exit 0
;;
revert)
detect
if [ -z "$BACKUP_PRESENT" ]; then
echo $NGINXCONF_BACKUP not present. Has the hotfix been applied?
exit 1
fi
echo Reverting $NGINXCONF using $NGINXCONF_BACKUP.
mv -f $NGINXCONF_BACKUP $NGINXCONF
;;
apply)
detect
if [ -z "$DHPARAM_PRESENT" ]; then
echo Generating $DHPARAM. Note this can take a couple of minutes.
openssl dhparam -out /etc/ssl/dhparam.pem 2048
fi
if ! [ -z "$DHPARAM_USED" ]; then
echo It seems everything is already fine!
exit 0
fi
if ! [ -z "$BACKUP_PRESENT" ]; then
echo $NGINXCONF_BACKUP present. It seems the hotfix is already applied.
exit 1
fi
echo Updating nginx configuration in $NGINXCONF
echo Copying existing configuration to $NGINXCONF_BACKUP
cp $NGINXCONF $NGINXCONF_BACKUP
cat > $NGINXCONF << \EOF
ssl_certificate /opt/conjur/etc/ssl/conjur.pem;
ssl_certificate_key /opt/conjur/etc/ssl/conjur.key;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
server {
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_session_cache shared:SSL:10m;
listen 443;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real_IP $remote_Addr;
proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
location /api/authn {
proxy_pass http://localhost:5000;
}
location /api/authz {
rewrite /api/authz/(.*) /$1 break;
proxy_pass http://localhost:5100;
}
location /api/audit {
rewrite /api/audit/(.*) /$1 break;
proxy_pass http://localhost:5300;
proxy_buffering off;
# needed to support streaming and chunked encoding
proxy_http_version 1.1;
}
location /api {
proxy_pass http://localhost:5200;
proxy_redirect http://localhost:5200/ /api/;
proxy_redirect https://localhost:5200/ /api/; # for enrollment urls only
}
location /api/pubkeys {
rewrite /api/pubkeys/(.*) /$1 break;
proxy_pass http://localhost:5400;
}
location /api/host_factories {
proxy_pass http://localhost:5500;
proxy_redirect http://localhost:5500/ /api/;
}
}
EOF
echo Restarting nginx...
restart nginx
;;
*)
echo $"Usage: $0 {detect|apply|revert}"
exit 1
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment