The TLS Interposer for Linux provides an easy way to upgrade the security of existing SSL/TLS applications based on OpenSSL without having to recompile them or having to switch to newer versions with incompatible configuration or interfaces. TLS Interposer is directed at server applications, but nothing prevents you from using it with client applications.
- TLS Interposer
- Eliminate BEAST, CRIME, Lucky13, RC4, SSLv3 weaknesses from binary/legacy applications
- Upgrading Apache 2.2 OpenSSL security with TLS Interposer
- Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]
- Securing fetchmail with improved TLS parameters
- Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
- Disable client certificate requests for Cyrus IMAP
- Make your TLS connections more secure
- Provide a common way of tuning security for all SSL/TLS applications
- Allow you to update security at one place
- No need to recompile existing applications
- Small piece of code, easily checked
- Easy to disable in case it should break your setup
TLS Interposer Operation
Following the aspect-oriented paradigm, TLS Interposer uses
LD_PRELOAD to upgrade selected SSL/TLS server processes to use OpenSSL more securely. It works by enhancing calls to the OpenSSL initialization functions and restricting some parameter setting functions.
It changes the following operations:
SSL_CTX_new(), the function to create new SSL/TLS contexts, is wrapped such that the context is pre-initialized more securely:
SSL_CTX_set_cipher_list()is changed to override the cipher set to the ones already set during
The cipher string set by default is
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4, the Qualys recommendation, but can be modified by setting the
TLS_INTERPOSER_CIPHERS environment variable to something else.
For example, to enable (relatively secure) RC4 variants (very insecure ones remain disabled), set
TLS_INTERPOSER_CIPHERS to the above default cipher string, leaving away the trailing “
Installation is straightforward: download TLS Interposer from GitHub, build it using
make, and install the resulting
tlsinterposer.so into the default location,
To run a program more securely, prefix its command line with
env LD_PRELOAD=/usr/local/lib/tlsinterposer.so. So, for example,
example --listen 123
env LD_PRELOAD=/usr/local/lib/tlsinterposer.so example --listen 123
To set specific ciphers, (assuming a Bourne compatible shell, such as
bash) put the line
export TLS_INTERPOSER_CIPHERS='<your cipher list>'
before the above command start. The format of the cipher list is explained in the OpenSSL ciphers(1) manual page; however, I recommend to start with a proven format instead of trying to build your own from scratch.
Example applications can found in the TLS Interposer article selection, such as: