I can't speak directly about the Fedora RPMs. However pound is no different than most software out there that's linking with openssl.
Pound pre 2.6c did not include the SSL 1.0.0 patch, which means you're using 0.9.8 if you have Pound 2.6b, 2.6a, or 2.5. (Unless you manually applied the patch yourself) You probably shouldn't be running these at this point, because they're way old. Pound Pre 2.6d,e,f, 2.6 release or any of the 2.7's (including my branches on github) include the 1.0.0 patch, which means it's *possible* to compile against Openssl 1+. Depends on what you used to compile the binary. Pound *does* serve as a SSL termination point. Which means if you're using ListenHTTPS, that port is using openssl to do its encryption/decryption. If pound is compiled as a dynamic binary, then updating the system's openssl library, *and restarting the pound daemons*, should resolve the issue. You can check with http://filippo.io/Heartbleed/, just like any other web site. It also means if your backends are not patched, or are vulnerable, even if you're using HTTPS backends, they will not be publicly vulnerable, because Pound is your SSL termination point, not the backend, and Pound itself isn't ever going to issue a corrupt handshake. And even if it did, the heartbeat data would go back to your pound server and no further. This is consistent with what I would expect of any application level proxy. (And I believe Theory 1 of yours) If Pound was compiled statically, then you'll need to recompile another static copy of Pound with the patched openssl library version of your choice to correct the issue, replace the binary and restart the daemons. There's no code change to be made in Pound... It's all in the library. As always remember restarting your daemon will reset session affinity. Joe > -----Original Message----- > From: David Martineau [mailto:[email protected]] > Sent: Wednesday, April 09, 2014 12:56 PM > To: [email protected] > Subject: [Pound Mailing List] Impact of Heartbleed and theory > validation on Pound 2.6 > > Hello- > > My question revolves around the Heartbleed issue with OpenSSL and what > the impact is on Pound 2.6 (available from the epel repository on > Fedora). Could someone please validate my theories on this subject: > > Theory 1: Pound is compiled on whatever version of OpenSSL exists on > the build server but is most likely compiled against header files and > packaged with RPM to use shared libraries on the server rather than > static libraries bundled with Pound. This means that you could issue a > statement such as "openssl version" and determine safely which version > of OpenSSL Pound is using based on the result. > > Theory 2: Pound uses OpenSSL for encryption/decryption but does not > treat it as a back-end which would imply it does not serve content > directly from OpenSSL to the client but rather passes the request to > the back-end (then uses OpenSSL to encrypt the response) or drops it if > not recognized. > > I confess, Theory 2 is wishful thinking. I'm sure there is a lot of > SSL/TLS handshaking that back-ends are never involved with. > > Thanks > D > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
