Upgrade OpenSSL/OpenSSH in an OpenSuse/Apache2 server environment

|

I recently read some things about forward secrecy and found that interesting enough to check my webserver installation. SSLLabs has a nice site where you can check your webserver regarding security features/issues with https connections. I got an F grade on my first test and decided I can do better... After reading more stuff (and some more on OpenSSL) I found out, that I probably just needed to upgrade my OpenSSL installation. Since I'm stuck with my old OpenSuse 11.1/Apache 2.2 environment and could not find any usable RPMs I needed to compile myself. I'll give a shot description about the necessary steps in an OpenSuse server environment.
Here's how it goes:

> cd /usr/src
> wget https://www.openssl.org/source/openssl-1.0.1e.tar.gz
> tar -xvzf openssl-1.0.1e.tar.gz
> cd openssl-1.0.1e/
> ./config no-threads shared --prefix=/usr
> make depend
> make
> make test
> make install

If you get any errors during the "make depend" step telling something about gcc missing, use yast2 to install gcc and dependencies.

When its finished (compiling and testing takes several minutes), check the correct installation with

> openssl version
OpenSSL 1.0.1e 11 Feb 2013

Now you can update your apache config. Read this one also. Make sure you restart apache.

Now let's update the OpenSSH server (sshd) as well. It uses the latest OpenSSL libs we have just created. You may also need the "zlib-devel" and "tcpd-devel" package. Use yast2 to install these before you begin. With tcp-wrappers support you can use DenyHosts with your OpenSSH server to prevent brute force attacks.

> cd /usr/src
> wget http://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/openssh-6.2p2.tar.gz
> tar xzvf openssh-6.2p2.tar.gz
> cd openssh-6.2p2/
> ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers
> make

I recommend you rename your /etc/ssh directory to something else an let the new ssh version create a new one with all new settings an keys. You can modify the new config file afterwards.

> mv /etc/ssh /etc/ssh.old
> make install

You can check the current version with

> sshd -?
OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-f config_file] [-g login_grace_time] [-h host_key_file]
            [-k key_gen_time] [-o option] [-p port] [-u len]