LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   OpenSSL version different in log and pkgtool (https://www.linuxquestions.org/questions/slackware-14/openssl-version-different-in-log-and-pkgtool-554933/)

z-man5 05-18-2007 10:50 AM
OpenSSL version different in log and pkgtool
 
Hi, I installed Slackware 11 with OpenSSL 0.9.8d (at least I was hoping for).

'openssl version' gives:
OpenSSL 0.9.8d 28 Sep 2006

pgktool shows the same version.

But ssl.log shows:
(...) Library: OpenSSL/0.9.8b

So which one is valid? I don't think I could make a mess here, since I didn't perform any upgrades, the version is latest packaged for Slackware.

Any help is appreciated.

Matir 05-18-2007 10:52 AM
Is that the Apache SSL log? If so, Apache may be statically linked against the SSL libs and so would need an upgrade or recompile.

z-man5 05-18-2007 11:11 AM
Yes, it is Apache SSL log.

[18/May/2007 00:49:20 00373] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8b

There are no updates for Apache or OpenSSL on the Slackware ftp site. Wouldn't it all be set 'right out of the box'?

Thanks.

Alien_Hominid 05-18-2007 11:14 AM
Pat migth have upgraded open ssl, but not recompiled apache. Did you check the Slackware-current if you really need new version?

z-man5 05-18-2007 11:46 AM
apache-1.3.37-i486-3 (Apr 7 23:36) is available, and I have apache-1.3.37-i486-2.

Do you think upgrading to the new Apache package will take care of it?

openssl-0.9.8e-i486-2 (May 14 22:37)is also available, but would I have to recompile Apache for it to be used? I guess I don't have to have the latest, but I would like to patch any security problems, so I would like to make sure Apache uses at least 0.9.8d.

Alien_Hominid 05-18-2007 11:51 AM
Now. You do not have to recompile anything if you use plain stable or plain current. If you mix, sometimes you will have, but I don't think that this includes apache. This thing is more important for dev packages, kernel, etc.

z-man5 05-18-2007 01:14 PM
Thank you for your help - I'll try upgrading Apache tomorrow.

z-man5 05-19-2007 09:11 PM
Hi, no luck so far. But since I'm right now waiting for a restore of a Ghost 8 image I made earlier "just in case", I can tell you a bit more of my story.

The reason for touching this server were the security vulnerabilities in OpenSSL versions prior to 0.9.8d and 0.9.7l
http://www.slackware.com/security/vi...ecurity.676946

To stick with the distribution of choice of our parent company I downloaded Slackware 11.0 CD ISOs, and installed on a spare box with minimum of packages. I upgraded a few packages:
bash-3.2.015-i486-1_slack11.0.tgz
bind-9.3.4-i486-1_slack11.0.tgz
php-4.4.7-i486-1_slack11.0.tgz
tar-1.16-i486-1_slack11.0.tgz

I checked the versions of all essential packages, and they all were the latest for Slack 11.0, and OpenSSL was 0.9.8d, so it was good to go. I did not upgrade neither Apache, OpenSSL, nor Mod_SSL.

I copied the Bind and Apache configuration files, certificate files and logs from the old box to the new one and after a bit of time of changing paths (old box was RedHat 8) I got it to work - Apache started, and it was working fine.

But I checked the SSL_LOG, and while starting, one of the lines logged by Apache was:
[18/May/2007 00:49:20 00373] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8b

OpenSSL 0.9.8b is one of the vulnerable versions (possibility of denial of service and buffer overrun, which I think is pretty serious).

Today I tried:
upgrading Apache to apache-1.3.37-i486-3.tgz from "Current"
upgrading OpenSSL to openssl-0.9.8e-i486-2.tgz from "Current"
upgrading to openssl-solibs-0.9.8e-i486-2.tgz from "Current"
reinstalling mod_ssl mod_ssl-2.8.28_1.3.37-i486-1.tgz - after reading the http://www.modssl.org/example/ example installation steps and realizing that it's mod_ssl that holds Apache and OpenSSL together.

None of that helped. Then I took a look at the line from the http.conf file thinking that maybe it needs to be changed on the new system:

LoadModule ssl_module libexec/apache/libssl.so

This file was dated before Sep-2006, and I searched for all files with that name and found newer (I think in /usr/lib). I tried to replace the file into ..libexec/apache/libssl.so but then Apache would not start - it gave the error:
httpd can't locate API module structure 'ssl_module'

I switched back to the old libssl.so file. I renamed the file and re-installed mod_ssl-2.8.28_1.3.37-i486-1.tgz. It put the same file back (same size and time).

Then I searched for possibilities for 'LoadModule ssl_module' directive in httpd.conf - and found that some people used 'mod_ssl.so'. I ran 'find' for that file, but it didn't find it, and instead it gave this message:

find: WARNING: Hard link count is wrong for /proc: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option.
Earlier results may have failed to include directories that should have been searched.


First I booted from the CD and run reiserfsck on each partition, and everything was fine. Then I read the tip:
http://murrey.inferential.com/piperm...er/000237.html
suggesting that find may have a bug - so I upgraded from findutils-4.2.28-i486-? to findutils-4.2.30-i486-1.tgz
That made find scream that it needs GLIBC 2.4, so I downloaded and upgraded to glibc-2.5-i486-2.tgz which gave the error "FATAL: kernel too old" pretty much on every command, and caused me to sit here while restoring from Ghost image.

So I am smarter by that lesson :), but what did I do wrong before today that Apache logged using OpenSSL 0.9.8b while OpenSSL from the CD was version 0.9.8d?

Thanks.

Alien_Hominid 05-20-2007 01:56 AM
Check this (from current changelog):

Quote:
n/httpd-2.2.4-i486-1.tgz: The package formerly known as "apache", upgraded
to httpd-2.2.4.
n/mod_ssl-2.8.28_1.3.37-i486-1.tgz: Removed, as this is now built into httpd.

z-man5 05-21-2007 10:18 AM
Oh, this was done just a few days ago.

But I don't want to install httpd-2.2.4-i486-1.tgz yet, do you think I should try asking the Slackware team to recompile mod_ssl-2.8.28_1.3.37 to include OpenSSL 0.9.8d or newer?

Thanks!

rworkman 05-21-2007 10:28 AM
Please stop suggesting that people install Slackware -current packages on Slackware 11.0.
This is *not* a solution, and in fact, it will create a problem if one does not already exist.

rworkman 05-21-2007 10:29 AM
To the OP:
http://rlworkman.net/howtos/glibc-recovery

rworkman 05-21-2007 10:33 AM
Also to the OP:
Either run Slackware 11.0 plus patches OR run Slackware -current.
http://slackware.osuosl.org/slackware-11.0/patches/

z-man5 05-21-2007 10:52 AM
I've restored the box from a Ghost image so it's back on Slackware 11.0.

It has the Apache, Mod_SSL and OpenSSL versions that I want to run, but the problem is in the Apache SSL log it shows that it's using OpenSSL 0.9.8b (not 0.9.8d as I would expect):
[18/May/2007 00:49:20 00373] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.8b

How do I fix that?

drumz 05-21-2007 11:46 AM
z-man5, from you posts above it looks like you installed everything from the 11.0 isos. These contain the packages as they were released at the time 11.0 was released. As rworkman stated, security updates can be found in the patches/ directory. This directory (and extra/) are the only one that get updated during the life cycle of 11.0.

If you've already done this, sorry for repeating redundant information, I just wanted to make sure it was clear to you.


All times are GMT -5. The time now is 03:06 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page