heartbleed openssl bug, need 1.0.1g openssl version

[ibrewster]

Well, I ran yum update, and got the 5.7 release of open ssl:

Code: Select all

# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.i686
#

I then rebooted my machine to make sure everything was loaded properly.
However, https://access.redhat.com/labs/heartbleed/ and http://filippo.io/Heartbleed/ both report my machine as still being vulnerable. Unlike @shbmira, I don't believe we are using mod_spdy (I never explicitly installed it, and I don't see any reference to it in the https.conf). What am I missing?

[TrevorH]

Could you run `strings /usr/lib/httpd/modules/* | grep "openssl 1"` and see if anything reports as other than "OpenSSL 1.0.1e-fips 11 Feb 2013".

[ibrewster]

Could you run `strings /usr/lib/httpd/modules/* | grep "openssl 1"` and see if anything reports as other than "OpenSSL 1.0.1e-fips 11 Feb 2013".

Code: Select all

# strings /usr/lib/httpd/modules/* | grep "openssl 1"
# 

So nothing openssl related at all. Apparently.

[ibrewster]

Wait, I think I may have it. This machine is my OpenVPN server, and OpenVPN needs an update installed to fix the vulnerability as well. Let me try that and see what happens.

[avij]

I believe your webserver is not using those openssl packages but some other openssl. Run "lsof -n | grep libssl | grep http" or similar, and see which libssl files are in use.

Installing mod_spdy does not make changes to your httpd.conf, but it creates files spdy.conf and load_ssl_with_npn.conf in /etc/httpd/conf.d/ , and some module files get installed elsewhere. Configuration files in that directory are loaded automatically. If you do have those files, you have mod_spdy installed. If that is the case, you can either update the package or remove it with "yum remove mod-spdy-beta".

Run "ps ax | grep httpd". Does it show /usr/sbin/httpd or some other path?

[ibrewster]

Confirmed: OpenVPN Access server was the issue in my case. Upgrading to the latest version with the fix completely broke OpenVPN for me, but they also provided a fix for "older versions" which did the trick. The testing sites are now happy.

[TECK]

Or you could install OpenSSL 1.0.1g directly. https://www.axivo.com/packages/setup

Why in the world would you recommend that?
Only the CentOS openssl should be installed.
Most of the problems being reported are due to foreign openssl package conflicts.

Sorry, but I have a fair amount of knowledge with OpenSSL and my packages have several patches and optimizations not present into CentOS rpm's, some of them being part of RHEL7/Fedora21:
https://www.axivo.com/resources/openssl-setup.2/

As a side note, we don't build FIPS, is also noted by CentOS developers that should be used only for debug purposes. OpenSSL developers stated clearly that "OpenSSL FIPS itself is not validated, and never will be." Beside that, if you change a single character into FIPS code (which CentOS patches do), nothing validates, therefore the note to use it for debug purposes.
http://www.openssl.org/docs/fips/fipsnotes.html

My compile options (note the build date):

Code: Select all

# openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Mon Apr  7 15:55:48 EDT 2014
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O3 -g -m64 -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse -Wa,--noexecstack -fomit-frame-pointer -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rsax rdrand dynamic

[TrevorH]

This is a CentOS forum and we do not recommend that users replace critical security packages with ones from any other source.

[hawkmage]

I support over 100 linux server running either RHEL and CentOS. We do build out own OpenSSL and various services for our needs. This is a full time job to mange the patching and versions releases. Unless you are willing and able to devote a lot of time to doing this you are far better off leaving it to the distro maintainer to manage this.

For the heartbleed vulnerability instead of just doing a yum package update I spent days building various packages and deploying them.

[TECK]

This is a tutorial I wrote how to easy upgrade OpenSSL 1.0.1h on CentOS 6:
https://www.axivo.com/resources/openssl-setup.2/

Hope this will help someone.