View previous topic :: View next topic |
Author |
Message |
stmiller Tux's lil' helper
Joined: 28 Feb 2006 Posts: 119
|
Posted: Tue Apr 08, 2014 12:34 am Post subject: emerge apache without ssl heartbeat [solved] |
|
|
It light of this vuln, http://seclists.org/oss-sec/2014/q2/27 (CVE-2014-0160) I am curious if it is possible to emerge apache without the mod_ssl heartbeat feature.
Is that possible?
I can see that some TLS servers of various vendors have heartbeating disabled and I am curious if I can do the same with Gentoo. Ex:
Code: |
$ openssl s_client -connect www.qualys.com:443 -tlsextdebug
[skip]
PSK identity hint: None
SRP username: None
Start Time: 1396916504
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
B
HEARTBEATING
140408723089064:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:t1_lib.c:2566:
|
Last edited by stmiller on Tue Apr 08, 2014 3:22 pm; edited 1 time in total |
|
Back to top |
|
|
stmiller Tux's lil' helper
Joined: 28 Feb 2006 Posts: 119
|
Posted: Tue Apr 08, 2014 1:18 am Post subject: |
|
|
Welp, answering my own question.
Emerging openssl with use flag of -tls-heartbeat does the trick. Thanks, |
|
Back to top |
|
|
lagalopex Guru
Joined: 16 Oct 2004 Posts: 562
|
Posted: Tue Apr 08, 2014 7:58 am Post subject: |
|
|
Alternative (and offtopic) to fix openssl but keep heartbeat enabled:
Update to dev-libs/openssl-1.0.1g (is already in portage) |
|
Back to top |
|
|
SamuliSuominen Retired Dev
Joined: 30 Sep 2005 Posts: 2133 Location: Finland
|
Posted: Tue Apr 08, 2014 8:15 am Post subject: |
|
|
1.0.1g is now stable on both, amd64 and x86, so time to `emerge --sync` and upgrade |
|
Back to top |
|
|
|