openssl1.0.2 for centos5.9 for FREAK vulnerability

[pasokitlog]

A check on https://tools.keycdn.com/freak?? shows that our centos5.9 server is vulnerable to freak.
we installed openssl1.0.2 from http://openssl.org/source/
and when I check rpm change log it shows fix CVE-2014-0224 is installed, but it seems this is not being used by the system.

did a check on the openssl version and it shows 1.0.2:
[root@PHdemo ~]# openssl version -a
OpenSSL 1.0.2 22 Jan 2015
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/ssl"
[root@PHdemo ~]#

Found on another article that manually installing openssl version 1.0.2 is not enough, everything else in the system needs to be recompiled to use version 1.0.2:
http://stackoverflow.com/questions/2701 ... centos-6-5

how do i properly install/compile everything in centos5.9 to use the new openssl version1.0.2 instead of the 0.9.8 that centos59 supports?

[TrevorH]

First off, you are doing this completely the wrong way. Step 1) update to 5.11. Your 5.9 system is 2 years out of date and needs yum update to be run to bring it up to 5.11 which is the current version. This will install openssl-0.9.8e-32.el5_11 which already contains the fix for CVE-2014-0224.

You also need to work out how to *undo* the damage you've done by using a source install. You will need to uninstall that - carefully I might add, since it might break things.

You almost certainly cannot rebuild the entire system to use your newer version of openssl and even if you could, it's pointless anyway since the CentOS supplied 0.9.8e already has the patch available via yum update.

[pasokitlog]

Thanks for the reply TrevorH.

I did a yum update openssl to bring back my openssl version to the previous one.
Rebooted.
Then I did a yum update and i'm now at 5.11
-saw the new version 5.11 upon login when i rebooted

Did a yum info openssl and it shows the following:
[root@PHdemo ~]# yum info openssl
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: ftpmirror.your.org
* extras: mirror.steadfast.net
* updates: mirror.fdcservers.net
Installed Packages
Name : openssl
Arch : i686
Version : 0.9.8e
Release : 32.el5_11
Size : 3.4 M
Repo : installed
Summary : The OpenSSL toolkit
URL : http://www.openssl.org/
License : BSDish
Description: The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic algorithms
: and protocols.

Name : openssl
Arch : x86_64
Version : 0.9.8e
Release : 32.el5_11
Size : 3.5 M
Repo : installed
Summary : The OpenSSL toolkit
URL : http://www.openssl.org/
License : BSDish
Description: The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic algorithms
: and protocols.


Supposedly this version of openssl is not vulnerable to FREAK, but I read somewhere that I should be at version 1.0.2?
The problem is when I check the website https://tools.keycdn.com/freak??
it still shows I'm vulnerable to FREAK.

Will try on another server.

Thanks.

[TrevorH]

Run rpm -Va openssl\* to check that your openssl is installed correctly and not still parts of it overwritten by your source install.

However, it also appears that FREAK is not fixed in el5 and RH have no plans to do so. https://access.redhat.com/discussions/1381693

It's still not advisable to install openssl outside the package management system and you'd still need to rebuild most of the o/s if you did so.

[pasokitlog]

redid the update on another server where I did not do a manual install of openssl1.0.2.
at the end, it showed im upgraded to 5.11, rebooted. and it shows the fix for CVE-2014-0224 is applied but I'm confirming that centos5 does not resolve the FREAK vulnerability as when I did the test after the upgrade to 5.11, it still shows up as vulnerable.

below are results after yum update -y and reboot:

[root@ ~]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix for CVE-2014-0224 - SSL/TLS MITM vulnerability
- fix for CVE-2014-0224 - SSL/TLS MITM vulnerability
[root@ ~]# openssl version -a
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Mon Jan 12 03:40:30 EST 2015
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic
[root@ ~]# cat /etc/redhat-release
CentOS release 5.11 (Final)
[root@ ~]#rpm -Va openssl\*a
[root@ ~]#

What do I need to do to get openssl 1.0.2 to work in centos5 and resolve the freak vulnerability?
I need some steps to follow, if not possible, or not feasible/advisable, I would need alternative course of action.
If there is no way it will work with centos5, will have to go with centos6 then...