Noah Hunt and the 420 All Stars interprètent Cortez the Killer de Neil Young, avec Scotty Bratcher à la guitare lead au MVP Sports Bar and Grill in Cincinnati Ohio, le 30 décembre 2010 :
Ce son de guitare est complétement hypnotique.
Noah Hunt and the 420 All Stars interprètent Cortez the Killer de Neil Young, avec Scotty Bratcher à la guitare lead au MVP Sports Bar and Grill in Cincinnati Ohio, le 30 décembre 2010 :
Ce son de guitare est complétement hypnotique.
Cet article fait suite à un précédent tutoriel – installer la dernière version d’OpenSSL sous Debian.
Cela fait un petit moment que je voulais mettre à jour ma configuration TLS et je me suis dit que la Toussaint serait parfaite pour cela.
Aujourd’hui, le serveur passe donc à TLS 1.3, ce qui nécessite une mise à jour d’OpenSSL et la mise à jour des ciphers sous NginX.
Je n’avais pas mis OpenSSL à jour depuis le dernier tuto donc il est aisé de connaitre sa version:
openssl version
Résultat :
OpenSSL v1.1.0f
Un autre moyen de connaître les versions disponibles dans les repos:
dpkg -l '*openssl*' | awk '/^i/{print $2}' | xargs apt-show-versions -a
Résultat:
openssl:amd64 1.1.0f-5 install ok installed
openssl:amd64 1.1.0f-3+deb9u2 stable debian.mirrors.ovh.net
openssl:amd64 1.1.0f-3+deb9u2 stable security.debian.org
openssl:amd64 1.1.0f-5 newer than version in archive
perl-openssl-defaults:amd64 3 install ok installed
perl-openssl-defaults:amd64 3 stable debian.mirrors.ovh.net
perl-openssl-defaults:amd64/stable 3 uptodate
python3-openssl:all 16.2.0-1 install ok installed
python3-openssl:all 16.2.0-1 stable debian.mirrors.ovh.net
python3-openssl:all/stable 16.2.0-1 uptodate
Pour obtenir la version 1.1.1 d’OpenSSL, qui est le sésame pour TLS 1.3, nous allons temporairement ajouter le repo sid
, mettre à jour OpenSSL et ses dérivés puis remettre apt
dans sa position stable.
On met à jour nos sources apt
:
nano /etc/apt/sources.list
et on y ajoute sid
:
deb http://ftp.debian.org/debian sid main
deb-src http://ftp.debian.org/debian sid main
On met à jour apt
:
apt update
Et on met à jour openssl
:
apt install openssl libssl1.1
Résultat:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 libnih-dbus1 libnih1 libssl-dev locales
python-httplib2
apt-listchanges: News
---------------------
glibc (2.26-5) unstable; urgency=medium
Starting with version 2.26-1, the glibc requires a 3.2 or later Linux
kernel. If you use an older kernel, please upgrade it *before*
installing this glibc version. Failing to do so will end-up with the
following failure:
Preparing to unpack .../libc6_2.26-5_amd64.deb ...
ERROR: This version of the GNU libc requires kernel version
3.2 or later. Please upgrade your kernel before installing
glibc.
The decision to not support older kernels is a GNU libc upstream
decision.
Note: This obviously does not apply to non-Linux kernels.
-- Aurelien Jarno <aurel32@debian.org> Tue, 23 Jan 2018 22:03:12 +0100
openssl (1.1.1-2) unstable; urgency=medium
Following various security recommendations, the default minimum TLS version
has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
plan to do same around March 2020.
The default security level for TLS connections has also be increased from
Suggested packages:
glibc-doc
The following packages will be upgraded:
Setting up libc6-i386 (2.27-8) ...
Setting up python-httplib2 (0.11.3-1) ...
Processing triggers for libc-bin (2.27-8) ...
Setting up libssl1.1:amd64 (1.1.1-2) ...
locale: Cannot set LC_ALL to default locale: No such file or directory
Setting up libc-l10n (2.27-8) ...
Setting up openssl (1.1.1-2) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libc-dev-bin (2.27-8) ...
Setting up libc6-dev:amd64 (2.27-8) ...
Setting up locales (2.27-8) ...
Installing new version of config file /etc/locale.alias ...
Generating locales (this might take a while)...
en_GB.ISO-8859-1... done
en_GB.UTF-8... done
en_GB.ISO-8859-15... done
Generation complete.
Setting up libnih1 (1.0.3-10+b1) ...
Setting up libnih-dbus1 (1.0.3-10+b1) ...
Setting up libssl-dev:amd64 (1.1.1-2) ...
Processing triggers for libc-bin (2.27-8) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Failed to retrieve available kernel versions.
Restarting services...
invoke-rc.d bind9 restart
invoke-rc.d cgmanager restart
invoke-rc.d cgproxy restart
invoke-rc.d fail2ban restart
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
invoke-rc.d haveged restart
invoke-rc.d irqbalance restart
invoke-rc.d lvm2-lvmetad restart
invoke-rc.d lvm2-lvmpolld restart
invoke-rc.d lwresd restart
invoke-rc.d mdadm restart
invoke-rc.d mdadm-waitidle restart
invoke-rc.d minissdpd restart
invoke-rc.d nginx restart
invoke-rc.d opendkim restart
invoke-rc.d opendmarc restart
invoke-rc.d php7.2-fpm restart
invoke-rc.d postfix restart
invoke-rc.d redis-server restart
invoke-rc.d rsyslog restart
invoke-rc.d saslauthd restart
invoke-rc.d ssh restart
Services being skipped:
invoke-rc.d dbus restart
No containers need to be restarted.</aurel32@debian.org>
On teste notre nouvelle verison d’openssl:
openssl version
Résultat:
OpenSSL 1.1.1 11 Sep 2018
Et en un peu plus précis:
dpkg -l '*openssl*' | awk '/^i/{print $2}' | xargs apt-show-versions -a
Résultat:
openssl:amd64 1.1.1-2 install ok installed
openssl:amd64 1.1.0f-3+deb9u2 stable debian.mirrors.ovh.net
openssl:amd64 1.1.0f-3+deb9u2 stable security.debian.org
openssl:amd64 1.1.1-2 sid ftp.debian.org
openssl:amd64/sid 1.1.1-2 uptodate
perl-openssl-defaults:amd64 3 install ok installed
perl-openssl-defaults:amd64 3 stable debian.mirrors.ovh.net
perl-openssl-defaults:amd64 3 sid ftp.debian.org
perl-openssl-defaults:amd64/stable 3 uptodate
python3-openssl:all 16.2.0-1 install ok installed
python3-openssl:all 16.2.0-1 stable debian.mirrors.ovh.net
python3-openssl:all 18.0.0-1 sid ftp.debian.org
python3-openssl:all/stable 16.2.0-1 upgradeable to 18.0.0-1
Il ne nous reste plus qu’à ajouter les nouveaux ciphers pour TLS 1.3 pour les services sécurisés.
Nous mettons donc la configuration des server blocks NginX à jour:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "TLS13+AESGCM+AES128:EECDH+AESGCM:EECDH+CHACHA20";
On vérifie la configuration:
nginx -t
et on redémarre le serveur:
service nginx restart
Il ne vous reste plus qu’à vérifier votre configuration TLS sur SSL Labs.
Our deepest fear is not that we are inadequate, our deepest fear is that we are powerful beyond measure, beyond measure.
Ima show you, how great I am.
Last night I cut the light off in my bedroom, hit the switch, and was in the bed before the room was dark.
Ima show you, how great I am.
Only last week, I murdered a rock, injured a stone, hospitalized a brick, Im so mean I make medicine sick.
Ima show you, how great I am.
This kids gonna be the best kid in the world.
This kids gonna be somebody better than anybody I ever knew.Ima show you, how great I am.
I have wrastled with an alligator, I done tussled with a whale, I done handcuffed lightnin, thrown thunder in jail.
Ima show you, how great I am.
All you chumps are gonna bow when I whoop him, all of you, I know you got him, I know you’ve got him picked, but the man’s in trouble, Ima show you how great I am.
But somewhere along the line you changed, you stopped being you.
You let people stick a finger in your face and tell you youre no good, and when things got hard, you started looking for something to blame, like a big shadow.
Let me tell you something you already know, the world ain’t all sunshine and rainbows, it’s a very mean and nasty place and I don’t care how tough you are, it will beat you to your knees and keep you there permanently if you let it.You, me, or nobody, is gonna hit as hard as life; but it ain’t about how hard you hit, it’s about how hard you can get hit and keep moving forward, how much you can take and keep moving forward. That’s how winning is done !
Cause if you’re willin to go through all the battling you gotta go through to get to where you wanna get, whos got the right to stop you.
I mean maybe some of you guys got something you never finished, something you really want to do, something you never said to somebody, something.
And you’re told no even after you pay your dues, whos got the right to tell you that, who? Nobody!
It’s your right to listen to your gut, it ain’t nobody’s right to say no, after you earn the right to be where you want to be and do what you want to do.Now if you know what you’re worth, then go out and get what you’re worth.
But you’ve gotta be willing to take the hits.
And not pointing fingers saying you aint where you wanna be because of him, or her, or anybody.
Cowards do that and that ain’t you!
You’re better than that!Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us.
There is nothing enlightened about shrinking so that other people will not feel insecure around you. We are all meant to shine, as children do. It is not just in some of us; it is in everyone and as we let our own light shine, we unconsciously give others permission to do the same. As we are liberated from our own fear, our presence automatically liberates others.
Our deepest fear is not that we are inadequate, our deepest fear is that we are powerful beyond measure.
All you chumps are gonna bow when I whoop him, all of you, I know you got him, I know you’ve got him picked, but the man’s in trouble, Ima show you how great I am.
Edited by Eric Horner. Video footage from Snatch. Audio clips from Muhammad Ali’s speech, Rocky, and Coach Carter, and text by Marianne Williamson. Still photography by Gabriel Stiritz and Lauren Lauren Herreid. Music from Transformers and Gladiator (Hanz Zimmer).