seems openssl version 1.0.1g also infected

Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr and key file from this. Also i have installed this on the server. I have

Re: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

On Sat, Apr 12, 2014 at 09:02:50PM -0400, Salz, Rich wrote: Would you please elaborate on how it differs from what you've been using in production? Local platform issues, mainly. Conceptually, nothing different about the security. Hello Rich et al. I believe Akamai's secure malloc, in

Re: seems openssl version 1.0.1g also infected

Hello! What does `ldd /path/to/httpd` says? Cheers, Fedor. On Mon, Apr 14, 2014 at 12:17 PM, LOKESH JANGIR lk.jangi...@gmail.comwrote: Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have

Re: heartbeat RFC 6520 and silently drop behaviour

On 4/13/14 3:54 AM, Michael Tuexen wrote: On 13 Apr 2014, at 01:54, tolga ceylan tolga.cey...@gmail.com wrote: The RFC has a lot of statements about silently dropping packets in case of various anomalies. But the correct action should be to drop the connection. This would uncover faulty

[PATCH] heartbeat_test

Unit test for the TLS heartbeat code; acts as a regression test against CVE-2014-0160. Thanks, Mike heartbeat_test.patch Description: Binary data

Re: seems openssl version 1.0.1g also infected

On Apr 14, 2014, at 10:17 , LOKESH JANGIR lk.jangi...@gmail.com wrote: Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr

Re: seems openssl version 1.0.1g also infected

Hi Fedor, Thanks for the reply. My httpd path is /usr/sbin/httpd and please find the output of ldd /usr/sbin/httpd [root@ip-10-253-83-223 openssl-1.0.1g]# ldd /usr/sbin/httpd linux-vdso.so.1 = (0x7fffebdfe000) libm.so.6 = /lib64/libm.so.6 (0x7ff2d74a7000)

[openssl.org #3306] OpenSSL Enhancement: the binary library should contain the version strings found in the header opensslv.h

Hello. This is a small feature request that's applicable to all operating systems. *The problem.* The version numbers for OpenSSL appear in the header opensslv.h as macro symbols: OPENSSL_VERSION_NUMBER OPENSSL_VERSION_TEXT Unfortunately, it seems that neither of these two variables are

[openssl.org #3307] Return missed NULL-check in CMS_add0_cert back

In 1.0.1g duplicated check for (!pcerts) where removed. Had an impression that second appearance was check for (!*pcerts) (as in all other functions). Return it back. Patch applied. 0001-Check-pcerts-for-NULL.patch Description: Binary data

[openssl.org #3308] Re: Return missed NULL-check in CMS_add0_cert back

Well... With this check 'make test' fails with: CMS = PKCS#7 compatibility tests signed content DER format, RSA key: generation error make[1]: *** [test_cms] Error 1 On 14 April 2014 00:16, Andrey Kulikov amde...@gmail.com wrote: In 1.0.1g duplicated check for (!pcerts) where removed. Had

[openssl.org #3309] Bug: Missing critical flag for extended key usage not detected in time-stamp verification

Hi, the following problem was reproduced with several OpenSSL 1.0.1 versions and also with a recent build from the OpenSSL_1_0_2-stable branch: RFC 3161 says in 2.3. Identification of the TSA: The corresponding certificate MUST contain only one instance of the extended key usage field

Re: seems openssl version 1.0.1g also infected

Hi Rainer, Yes, apache was running with the old library, i have moved this out, and copied new libssl library from new openssl installation folder. But it is not working and now i am unable to start apache. Now what to do with this ? Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 2:52 PM,

Re: seems openssl version 1.0.1g also infected

So, considering that it fails to start now. Could you please verify that `ls -la /lib64/libcrypt.so.1` is still valid? Fedor. On Mon, Apr 14, 2014 at 2:53 PM, LOKESH JANGIR lk.jangi...@gmail.comwrote: Hi Rainer, Yes, apache was running with the old library, i have moved this out, and

Re: seems openssl version 1.0.1g also infected

Hi Fedor, Yes i did not move this file out. and i can see the output of ls -la /lib64/libcrypt.so.1 libcrypt.so - ../../lib64/libcrypt.so.1 I complied openssl and it created this library files, engines libcrypto.a libssl.a pkgconfig So now should i move this libcrypt.a file to /usr/lib64

Re: seems openssl version 1.0.1g also infected

Hello again! That depends on your setup. I'd suppose that OpenSSL's default installer should create symlinks itself. If it did and they doesn't match the previous location - you could try creating a new one: `ln -s /path/to/new/libcrypto.so.1 /lib64/libcrypt.so.1` Cheers, Fedor. On Mon, Apr

Re: heartbeat RFC 6520 and silently drop behaviour

On 13 Apr 2014, at 17:48, David Jacobson dmjacob...@sbcglobal.net wrote: On 4/13/14 3:54 AM, Michael Tuexen wrote: On 13 Apr 2014, at 01:54, tolga ceylan tolga.cey...@gmail.com wrote: The RFC has a lot of statements about silently dropping packets in case of various anomalies. But the

Re: seems openssl version 1.0.1g also infected

Hi, I am installing openssl in /usr/local/openssl folder and it is creating libssl.a and libcrypt.a library files. so how can i use these files as library. Or i need to install this in default folders. Should i follow this article http://www.akadia.com/services/ssh_test_certificate.html Lokesh

Re: seems openssl version 1.0.1g also infected

If I had ever needed to use different versions of OpenSSL I would use the ./config --openssldir=/path/to/openssl-ver then for Apache to use that during installation. Example: ./configure --with-ssl=/path/to/openssl-ver --enable-ssl That will at least verify your using the new patched version.

Re: seems openssl version 1.0.1g also infected

I guess you need to build it in a shared library mode. Take a look at this: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html . You may skip applying some unverified patches as author suggest, but generally the instructions are correct. Cheers, Fedor. On Mon, Apr 14, 2014 at

Re: seems openssl version 1.0.1g also infected

I use export CFLAGS=-fPIC ./config shared --prefix=$inst \ make to build the shared library version i use 2014-04-14 13:34 GMT+02:00 Fedor Indutny fe...@indutny.com: I guess you need to build it in a shared library mode. Take a look at this:

Re: seems openssl version 1.0.1g also infected

Yes, I agree with everyone. Just thought that linking a blog post would be more helpful. Better use instructions provided here, than at that page. Thank you, guys! On Mon, Apr 14, 2014 at 3:40 PM, Olivier BARTHELEMY barthel...@geovariances.com wrote: I use export CFLAGS=-fPIC

Re: seems openssl version 1.0.1g also infected

Why are building your own openssl? Did you try the official Ubuntu update? sudo apt-get update sudo apt-get upgrade __Martin On Mon, 14 Apr 2014 16:59:06 +0530, LOKESH JANGIR said: Hi, I am installing openssl in /usr/local/openssl folder and it is creating libssl.a and libcrypt.a

Re: seems openssl version 1.0.1g also infected

The wiki provides some very useful information http://wiki.openssl.org/index.php/Compilation_and_Installation On Mon, Apr 14, 2014 at 5:40 AM, Olivier BARTHELEMY barthel...@geovariances.com wrote: I use export CFLAGS=-fPIC ./config shared --prefix=$inst \ make to build the

RE: RSA [FIPS 186-4] issue

JDM, Leon Brits wrote I am in no way capable of writing such a patch and was hoping that someone is willing to share. To be more specific I need a patch that will change the key generation from: d = e-1 mod((p-1)(q-1)) to this: d = e-1 mod(LCM(p-1, q-1)) We’re also pursuing a

RE: seems openssl version 1.0.1g also infected

Why are building your own openssl? Did you try the official Ubuntu update? Especially since the original poster seems to have problems with the basic software engineering stuff. (No criticism intended, it can be confusing.) /r$ -- Principal Security Engineer Akamai Technology

Re: seems openssl version 1.0.1g also infected

On 14/04/14 10:42, LOKESH JANGIR wrote: I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I The oldest still-supported Ubuntu version - 10.04 Lucid Lynx - ships with: apache2.2-bin (2.2.14-5ubuntu8.13) [security] Hi Fedor, Thanks for the reply. My httpd path is

Re: seems openssl version 1.0.1g also infected

Hi team, I am using amazon ami release Amazon Linux AMI release 2014.03. When i restart httpd service then i can see in logs that old version of openssl is loading with this. Can you please guide me what to do in this case ? Regards, Lokesh On Mon, Apr 14, 2014 at 10:36 PM, TJ

Re: seems openssl version 1.0.1g also infected

On Mon, Apr 14, 2014 at 10:57:37PM +0530, LOKESH JANGIR wrote: Hi team, I am using amazon ami release Amazon Linux AMI release 2014.03. When i restart httpd service then i can see in logs that old version of openssl is loading with this. Can you please guide me what to do in this case ?

Re: [openssl.org #3306] OpenSSL Enhancement: the binary library should contain the version strings found in the header opensslv.h

On Mon, Apr 14, 2014 at 11:51:53AM +0200, Tom Swirly via RT wrote: Hello. This is a small feature request that's applicable to all operating systems. *The problem.* The version numbers for OpenSSL appear in the header opensslv.h as macro symbols: OPENSSL_VERSION_NUMBER

Re: [openssl.org #3306] OpenSSL Enhancement: the binary library should contain the version strings found in the header opensslv.h

Thanks for a fast and clear reply! On Mon, Apr 14, 2014 at 1:58 PM, Kurt Roeckx via RT r...@openssl.org wrote: Then a program linking to this library can read either of these global variables at runtime and fail to start or emit a warning if the version isn't up-to-date. Please don't do

Re: [openssl.org #3306] OpenSSL Enhancement: the binary library should contain the version strings found in the header opensslv.h

On Mon, Apr 14, 2014 at 08:27:17PM +0200, Tom Swirly via RT wrote: We'd like to make sure that the libraries we're linking to are up-to-date. There are third parties who build our codebase who might not be as careful as we might like. Postfix issues warnings whent the run-time library

Re: [openssl.org #3306] OpenSSL Enhancement: the binary library should contain the version strings found in the header opensslv.h

On Mon, Apr 14, 2014, Tom Swirly via RT wrote: We'd like to make sure that the libraries we're linking to are up-to-date. Take a look at the postfix code: tls_check_version(). __ OpenSSL Project

RE: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

Recommendation: protect the rest of the private key material. Yes, we missed some important fields. Dang is a word that comes to mind. At least, one I can use in polite company. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA

[openssl.org #3310] Can't execute make command

Hello! Make fails, wihle I'm trying build the openssl library. http://screeny.ru/534bd10369000fff1f0225ce Why have I problem with md2test.c? (m2test.c:1: parse error before '.' token) What should I do? Thanks in advance! Best regards, Moskaleva Maria

[openssl.org #3312] OpenSSL :: crypto/mem.c without memset() calls?

Hi! I have checked the current source code of 'crpyto/mem.c' and I'm a little bit suprised that no memset()-calls are made before the free_*() functions are entered. I think a zeroing of the previous used memory is a good solutions to beware for accessing old memory content. --- $ diff

Re: heartbeat RFC 6520 and silently drop behaviour

Not a good idea, particularly with DTLS as it'd be an instant DOS attack.Peter-owner-openssl-...@openssl.org wrote: -To: openssl-dev@openssl.orgFrom: David Jacobson Sent by: owner-openssl-...@openssl.orgDate: 04/14/2014 07:55PMSubject: Re: heartbeat RFC 6520 and