Re: Upgrading OpenSSL on RHEL5
Hi Shruti, As per openssl, version 0.98e is not infected with hearbleed issue. You can check on below link. http://www.openssl.org/news/secadv_20140407.txt Regards, Lokesh Jangir On Thu, Apr 24, 2014 at 6:47 PM, Shruti Palshikar shr...@buysidefx.comwrote: Thanks everyone for the help, does anybody know if RHEL5 with version 0.98e of openssl has a fix for TLS/SSL renegotiation vulnerability? On Thu, Apr 24, 2014 at 7:40 AM, Hubert Kario hka...@redhat.com wrote: - Original Message - From: Shruti Palshikar shr...@buysidefx.com To: openssl-dev@openssl.org Sent: Wednesday, 23 April, 2014 5:50:45 PM Subject: Upgrading OpenSSL on RHEL5 Hello, I am trying to upgrade my openSSL version on RHEL5. WHen I tried to update it using yum commad (it kept pausing with the messages - No packages marked for update) I found out that this was not installed from the source but was present along with RHEL in the /usr directory. Following are some helpful commands to give you an idea of the machine and openSSL I am using OpenSSL version shipped in RHEL 5 is the newest version that's compatible with other applications and tools shipped in this RHEL version. It does have all the important bug fixes and security fixes backported (if you think it is missing something, please contact us through Customer Portal). If you want to have a newer openssl version (e.g. to have support for AES-GCM or TLS1.2), you will have to upgrade to newer RHEL release (6.5). If you need only a single application to support newer cryptography, you shouldn't replace the system version of openssl with version 1.0.x or you will most likely break your install. -- Regards, Hubert Kario BaseOS QE Security team Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- Thanks, Shruti Palshikar 617 784 8358 BuysideFXhttps://app.getsignals.com/link?url=http%3A%2F%2Fwww.buysidefx.com%2Fukey=agxzfnNpZ25hbHNjcnhyFAsSC1VzZXJQcm9maWxlGLr_3AMMk=a1b9ff13b42c4509a0ed70bae764a41a *Solving foreign exchange problems * *for institutional money managers*
seems openssl version 1.0.1g also infected
Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr and key file from this. Also i have installed this on the server. I have restarted apache service and server many times after installation. But still it is showing my website vulnerable. Can you please guide me what am i missing now ? Thanks and Regards, Lokesh Jangir
Re: seems openssl version 1.0.1g also infected
Hi Fedor, Thanks for the reply. My httpd path is /usr/sbin/httpd and please find the output of ldd /usr/sbin/httpd [root@ip-10-253-83-223 openssl-1.0.1g]# ldd /usr/sbin/httpd linux-vdso.so.1 = (0x7fffebdfe000) libm.so.6 = /lib64/libm.so.6 (0x7ff2d74a7000) libpcre.so.0 = /lib64/libpcre.so.0 (0x7ff2d724e000) libselinux.so.1 = /usr/lib64/libselinux.so.1 (0x7ff2d702c000) libaprutil-1.so.0 = /usr/lib64/libaprutil-1.so.0 (0x7ff2d6e08000) libcrypt.so.1 = /lib64/libcrypt.so.1 (0x7ff2d6bd2000) libexpat.so.1 = /lib64/libexpat.so.1 (0x7ff2d69a9000) libdb-4.7.so = /lib64/libdb-4.7.so (0x7ff2d663a000) libapr-1.so.0 = /usr/lib64/libapr-1.so.0 (0x7ff2d6407000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7ff2d61ea000) libc.so.6 = /lib64/libc.so.6 (0x7ff2d5e45000) libdl.so.2 = /lib64/libdl.so.2 (0x7ff2d5c41000) /lib64/ld-linux-x86-64.so.2 (0x7ff2d7a09000) libuuid.so.1 = /lib64/libuuid.so.1 (0x7ff2d5a3c000) libfreebl3.so = /lib64/libfreebl3.so (0x7ff2d57c6000) Please have a look and help me. Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 2:13 PM, Fedor Indutny fe...@indutny.com wrote: Hello! What does `ldd /path/to/httpd` says? Cheers, Fedor. On Mon, Apr 14, 2014 at 12:17 PM, LOKESH JANGIR lk.jangi...@gmail.comwrote: Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr and key file from this. Also i have installed this on the server. I have restarted apache service and server many times after installation. But still it is showing my website vulnerable. Can you please guide me what am i missing now ? Thanks and Regards, Lokesh Jangir
Re: seems openssl version 1.0.1g also infected
Hi Rainer, Yes, apache was running with the old library, i have moved this out, and copied new libssl library from new openssl installation folder. But it is not working and now i am unable to start apache. Now what to do with this ? Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 2:52 PM, Rainer M. Canavan rainer.cana...@sevenval.com wrote: On Apr 14, 2014, at 10:17 , LOKESH JANGIR lk.jangi...@gmail.com wrote: Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr and key file from this. Also i have installed this on the server. I have restarted apache service and server many times after installation. But still it is showing my website vulnerable. Can you please guide me what am i missing now ? did you use apachectl restart, or apachectl stop + apachectl start? If you did the former, the process may still be running with the old, deleted library. Try sudo lsof -n | grep libssl | grep DEL to see if that is still the case. rainer__ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: seems openssl version 1.0.1g also infected
Hi Fedor, Yes i did not move this file out. and i can see the output of ls -la /lib64/libcrypt.so.1 libcrypt.so - ../../lib64/libcrypt.so.1 I complied openssl and it created this library files, engines libcrypto.a libssl.a pkgconfig So now should i move this libcrypt.a file to /usr/lib64 folder and rename this as .so ? Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 4:31 PM, Fedor Indutny fe...@indutny.com wrote: So, considering that it fails to start now. Could you please verify that `ls -la /lib64/libcrypt.so.1` is still valid? Fedor. On Mon, Apr 14, 2014 at 2:53 PM, LOKESH JANGIR lk.jangi...@gmail.comwrote: Hi Rainer, Yes, apache was running with the old library, i have moved this out, and copied new libssl library from new openssl installation folder. But it is not working and now i am unable to start apache. Now what to do with this ? Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 2:52 PM, Rainer M. Canavan rainer.cana...@sevenval.com wrote: On Apr 14, 2014, at 10:17 , LOKESH JANGIR lk.jangi...@gmail.com wrote: Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr and key file from this. Also i have installed this on the server. I have restarted apache service and server many times after installation. But still it is showing my website vulnerable. Can you please guide me what am i missing now ? did you use apachectl restart, or apachectl stop + apachectl start? If you did the former, the process may still be running with the old, deleted library. Try sudo lsof -n | grep libssl | grep DEL to see if that is still the case. rainer__ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: seems openssl version 1.0.1g also infected
Hi, I am installing openssl in /usr/local/openssl folder and it is creating libssl.a and libcrypt.a library files. so how can i use these files as library. Or i need to install this in default folders. Should i follow this article http://www.akadia.com/services/ssh_test_certificate.html Lokesh Jangir On Mon, Apr 14, 2014 at 4:50 PM, Fedor Indutny fe...@indutny.com wrote: Hello again! That depends on your setup. I'd suppose that OpenSSL's default installer should create symlinks itself. If it did and they doesn't match the previous location - you could try creating a new one: `ln -s /path/to/new/libcrypto.so.1 /lib64/libcrypt.so.1` Cheers, Fedor. On Mon, Apr 14, 2014 at 3:13 PM, LOKESH JANGIR lk.jangi...@gmail.comwrote: Hi Fedor, Yes i did not move this file out. and i can see the output of ls -la /lib64/libcrypt.so.1 libcrypt.so - ../../lib64/libcrypt.so.1 I complied openssl and it created this library files, engines libcrypto.a libssl.a pkgconfig So now should i move this libcrypt.a file to /usr/lib64 folder and rename this as .so ? Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 4:31 PM, Fedor Indutny fe...@indutny.com wrote: So, considering that it fails to start now. Could you please verify that `ls -la /lib64/libcrypt.so.1` is still valid? Fedor. On Mon, Apr 14, 2014 at 2:53 PM, LOKESH JANGIR lk.jangi...@gmail.comwrote: Hi Rainer, Yes, apache was running with the old library, i have moved this out, and copied new libssl library from new openssl installation folder. But it is not working and now i am unable to start apache. Now what to do with this ? Regards, Lokesh Jangir On Mon, Apr 14, 2014 at 2:52 PM, Rainer M. Canavan rainer.cana...@sevenval.com wrote: On Apr 14, 2014, at 10:17 , LOKESH JANGIR lk.jangi...@gmail.com wrote: Hi Team, I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I found the same openssl vulnerability issue with my ssl certificate. I have installed new openssl bugfixed version 1.0.1g and create csr and key file from this. Also i have installed this on the server. I have restarted apache service and server many times after installation. But still it is showing my website vulnerable. Can you please guide me what am i missing now ? did you use apachectl restart, or apachectl stop + apachectl start? If you did the former, the process may still be running with the old, deleted library. Try sudo lsof -n | grep libssl | grep DEL to see if that is still the case. rainer__ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: seems openssl version 1.0.1g also infected
Hi team, I am using amazon ami release Amazon Linux AMI release 2014.03. When i restart httpd service then i can see in logs that old version of openssl is loading with this. Can you please guide me what to do in this case ? Regards, Lokesh On Mon, Apr 14, 2014 at 10:36 PM, TJ 0.open...@iam.tj wrote: On 14/04/14 10:42, LOKESH JANGIR wrote: I am using Ubuntu, Amazon ami with apache 2.0 and mod_ssl installed. I The oldest still-supported Ubuntu version - 10.04 Lucid Lynx - ships with: apache2.2-bin (2.2.14-5ubuntu8.13) [security] Hi Fedor, Thanks for the reply. My httpd path is /usr/sbin/httpd and please find the output of ldd /usr/sbin/httpd Ubuntu does not distribute the apache packages with this file; it is renamed to: /usr/sbin/apache2 [root@ip-10-253-83-223 openssl-1.0.1g]# ldd /usr/sbin/httpd linux-vdso.so.1 = (0x7fffebdfe000) libm.so.6 = /lib64/libm.so.6 (0x7ff2d74a7000) libpcre.so.0 = /lib64/libpcre.so.0 (0x7ff2d724e000) libselinux.so.1 = /usr/lib64/libselinux.so.1 (0x7ff2d702c000) Ubuntu 64-bit packages don't install here, but to: $ apt-file search '/libselinux.so.1' libselinux1: /lib/x86_64-linux-gnu/libselinux.so.1 Also, apache2 does not build against (depend) on selinux: $ dpkg-query -S /usr/sbin/apache2 apache2-bin: /usr/sbin/apache2 $ ldd /usr/sbin/apache2 | grep selinux $ apt-cache depends apache2-bin | grep selinux $ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org