Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Heartbleed - fix
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 1:55 pm    Post subject: Heartbleed - fix Reply with quote

Which program do I upgrade to fix Heartbleed bug?

http://safeweb.norton.com/heartbleed/
is showing me my server is vulnerable.
I'm using dev-libs/openssl-0.9.8y
_________________
#Thelma
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6962

PostPosted: Mon Apr 28, 2014 2:17 pm    Post subject: Reply with quote

https://forums.gentoo.org/viewtopic-t-988198.html
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Mon Apr 28, 2014 2:23 pm    Post subject: Reply with quote

As your version of openssl is said unaffected, what about testing with another tool ? Or giving us more informations ?
_________________
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 3:01 pm    Post subject: Reply with quote

aCOSwt wrote:
As your version of openssl is said unaffected, what about testing with another tool ? Or giving us more informations ?


What tool should I use?
What other information I can supply?

I was under impression that my server is not effected as I'm using openssl-0.9.8y
Is the http://safeweb.norton.com/heartbleed/
checking my firewall or my server behind firewall?
My router is using: DD-WRT v24-sp2
_________________
#Thelma
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Mon Apr 28, 2014 3:24 pm    Post subject: Reply with quote

Try that one. At least it tells what is going wrong. https://www.ssllabs.com/ssltest/index.html
_________________
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 3:35 pm    Post subject: Reply with quote

aCOSwt wrote:
Try that one. At least it tells what is going wrong. https://www.ssllabs.com/ssltest/index.html


Thanks, after running it on my web-page I got this feedback:
Quote:
Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info) SSL 3: 0x6, TLS 1.0: 0x6
TLS compression Yes INSECURE (more info)
RC4 Yes (not with TLS 1.1 and newer) (more info)
Heartbleed Yes (more info)
Forward Secrecy With some browsers (more info)
Next Protocol Negotiation No
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes


I even added to make.conf USE flag "-DOPENSSL_NO_HEARTBEATS"
but "emerge -uDNavq world" did not pull anything
_________________
#Thelma
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 3:51 pm    Post subject: Reply with quote

I'm using apache-2.2.25
Which file contain setting for: SSLCompression
I'm trying to turn it off.
_________________
#Thelma
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 4:09 pm    Post subject: Reply with quote

OK I've turn the compression off in:
40_mod_ssl.conf
I've added:
SSLCompression off

but I'm still failing on:
Heartbleed Yes (more info)
Forward Secrecy With some browsers (more info)
_________________
#Thelma
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 4:36 pm    Post subject: Reply with quote

It seems to me I made an error. I was using openSSL-1.0.1f

Code:
dev-libs/openssl
     Available versions: 
     (0.9.8) 0.9.8y
     (0)    1.0.0j 1.0.1f
       {bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib}
     Installed versions:  0.9.8y(0.9.8)(11:06:09 PM 10/18/2013)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1f(12:57:54 PM 03/21/2014)(sse2 tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla)


I've downgraded to: dev-libs/openssl-1.0.0j
but when I try to restart apache I get an error:
Code:
* apache2 has detected an error in your setup:
apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: TLSv1_1_client_method
 * ERROR: apache2 failed to stop


revdep-rebuild does not help
_________________
#Thelma
Back to top
View user's profile Send private message
Navar
Guru
Guru


Joined: 20 Aug 2012
Posts: 353

PostPosted: Mon Apr 28, 2014 9:57 pm    Post subject: Reply with quote

Why not just upgrade and be done with it?

After a sync today,

Code:

 # glsa-check -tv all
This system is not affected by any of the listed GLSAs
 # equery l apache
 * Searching for apache ...
[IP-] [  ] www-servers/apache-2.2.25:2
 # equery l openssl
 * Searching for openssl ...
[IP-] [  ] dev-libs/openssl-1.0.1g:0
 # uname -r
3.13.6-hardened-r3
Back to top
View user's profile Send private message
TomWij
Retired Dev
Retired Dev


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Mon Apr 28, 2014 10:18 pm    Post subject: Reply with quote

Joseph @ gentoo-user ML wrote:
This is my running server so I try to upgrade backup first before upgrading main server.
I recompiled 1.0.1f without "tls-heartbeat" and it solved the problem.


Can you please consider to avoid cross posting for support simultaneously?

Feel free to point people to the same place; in the future, trying one place after the other work out well.
Whether your problem is fixed is unclear to me; as I now see one place report it as such,
whereas the other seems to suggest there is still a problem...

If it is fixed, can you edit the subject of the first post here to include [SOLVED]?
If it is not fixed, can you check out whether you match Navar's specifications;
as well as confirm that you still experience the problem after that?

Thank you very much in advance.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum