OpenSSL version different in log and pkgtool
Hi, I installed Slackware 11 with OpenSSL 0.9.8d (at least I was hoping for).
'openssl version' gives: OpenSSL 0.9.8d 28 Sep 2006 pgktool shows the same version. But ssl.log shows: (...) Library: OpenSSL/0.9.8b So which one is valid? I don't think I could make a mess here, since I didn't perform any upgrades, the version is latest packaged for Slackware. Any help is appreciated. |
Is that the Apache SSL log? If so, Apache may be statically linked against the SSL libs and so would need an upgrade or recompile.
|
Yes, it is Apache SSL log.
[18/May/2007 00:49:20 00373] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8b There are no updates for Apache or OpenSSL on the Slackware ftp site. Wouldn't it all be set 'right out of the box'? Thanks. |
Pat migth have upgraded open ssl, but not recompiled apache. Did you check the Slackware-current if you really need new version?
|
apache-1.3.37-i486-3 (Apr 7 23:36) is available, and I have apache-1.3.37-i486-2.
Do you think upgrading to the new Apache package will take care of it? openssl-0.9.8e-i486-2 (May 14 22:37)is also available, but would I have to recompile Apache for it to be used? I guess I don't have to have the latest, but I would like to patch any security problems, so I would like to make sure Apache uses at least 0.9.8d. |
Now. You do not have to recompile anything if you use plain stable or plain current. If you mix, sometimes you will have, but I don't think that this includes apache. This thing is more important for dev packages, kernel, etc.
|
Thank you for your help - I'll try upgrading Apache tomorrow.
|
Hi, no luck so far. But since I'm right now waiting for a restore of a Ghost 8 image I made earlier "just in case", I can tell you a bit more of my story.
The reason for touching this server were the security vulnerabilities in OpenSSL versions prior to 0.9.8d and 0.9.7l http://www.slackware.com/security/vi...ecurity.676946 To stick with the distribution of choice of our parent company I downloaded Slackware 11.0 CD ISOs, and installed on a spare box with minimum of packages. I upgraded a few packages: bash-3.2.015-i486-1_slack11.0.tgz bind-9.3.4-i486-1_slack11.0.tgz php-4.4.7-i486-1_slack11.0.tgz tar-1.16-i486-1_slack11.0.tgz I checked the versions of all essential packages, and they all were the latest for Slack 11.0, and OpenSSL was 0.9.8d, so it was good to go. I did not upgrade neither Apache, OpenSSL, nor Mod_SSL. I copied the Bind and Apache configuration files, certificate files and logs from the old box to the new one and after a bit of time of changing paths (old box was RedHat 8) I got it to work - Apache started, and it was working fine. But I checked the SSL_LOG, and while starting, one of the lines logged by Apache was: [18/May/2007 00:49:20 00373] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8b OpenSSL 0.9.8b is one of the vulnerable versions (possibility of denial of service and buffer overrun, which I think is pretty serious). Today I tried: upgrading Apache to apache-1.3.37-i486-3.tgz from "Current" upgrading OpenSSL to openssl-0.9.8e-i486-2.tgz from "Current" upgrading to openssl-solibs-0.9.8e-i486-2.tgz from "Current" reinstalling mod_ssl mod_ssl-2.8.28_1.3.37-i486-1.tgz - after reading the http://www.modssl.org/example/ example installation steps and realizing that it's mod_ssl that holds Apache and OpenSSL together. None of that helped. Then I took a look at the line from the http.conf file thinking that maybe it needs to be changed on the new system: LoadModule ssl_module libexec/apache/libssl.so This file was dated before Sep-2006, and I searched for all files with that name and found newer (I think in /usr/lib). I tried to replace the file into ..libexec/apache/libssl.so but then Apache would not start - it gave the error: httpd can't locate API module structure 'ssl_module' I switched back to the old libssl.so file. I renamed the file and re-installed mod_ssl-2.8.28_1.3.37-i486-1.tgz. It put the same file back (same size and time). Then I searched for possibilities for 'LoadModule ssl_module' directive in httpd.conf - and found that some people used 'mod_ssl.so'. I ran 'find' for that file, but it didn't find it, and instead it gave this message: find: WARNING: Hard link count is wrong for /proc: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched. First I booted from the CD and run reiserfsck on each partition, and everything was fine. Then I read the tip: http://murrey.inferential.com/piperm...er/000237.html suggesting that find may have a bug - so I upgraded from findutils-4.2.28-i486-? to findutils-4.2.30-i486-1.tgz That made find scream that it needs GLIBC 2.4, so I downloaded and upgraded to glibc-2.5-i486-2.tgz which gave the error "FATAL: kernel too old" pretty much on every command, and caused me to sit here while restoring from Ghost image. So I am smarter by that lesson :), but what did I do wrong before today that Apache logged using OpenSSL 0.9.8b while OpenSSL from the CD was version 0.9.8d? Thanks. |
Check this (from current changelog):
Quote:
|
Oh, this was done just a few days ago.
But I don't want to install httpd-2.2.4-i486-1.tgz yet, do you think I should try asking the Slackware team to recompile mod_ssl-2.8.28_1.3.37 to include OpenSSL 0.9.8d or newer? Thanks! |
Please stop suggesting that people install Slackware -current packages on Slackware 11.0.
This is *not* a solution, and in fact, it will create a problem if one does not already exist. |
To the OP:
http://rlworkman.net/howtos/glibc-recovery |
Also to the OP:
Either run Slackware 11.0 plus patches OR run Slackware -current. http://slackware.osuosl.org/slackware-11.0/patches/ |
I've restored the box from a Ghost image so it's back on Slackware 11.0.
It has the Apache, Mod_SSL and OpenSSL versions that I want to run, but the problem is in the Apache SSL log it shows that it's using OpenSSL 0.9.8b (not 0.9.8d as I would expect): [18/May/2007 00:49:20 00373] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8b How do I fix that? |
z-man5, from you posts above it looks like you installed everything from the 11.0 isos. These contain the packages as they were released at the time 11.0 was released. As rworkman stated, security updates can be found in the patches/ directory. This directory (and extra/) are the only one that get updated during the life cycle of 11.0.
If you've already done this, sorry for repeating redundant information, I just wanted to make sure it was clear to you. |
All times are GMT -5. The time now is 03:06 PM. |