When does PFSense plan on upgrading OpenSSL >= 1.0.1c
-
[2.1-RELEASE][root@pfsense-amd64.localdomain]/root(1): /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 20132.1 has 1.0.1e and it is used for OpenVPN, IPsec, etc.
-
Was not aware of the existence of two versions of openssl on the system. Still, the version bundled with my 2.1 release is < 1.0.1c.
**# openssl version
OpenSSL 0.9.8y 5 Feb 2013which openssl
/usr/bin/openssl
/usr/local/bin/openssl version
OpenSSL 1.0.0h 12 Mar 2012**
This was an upgrade from a 2.1 devolopment snapshot. Do I need to perform a clean installation of 2.1 to get the 1.0.1e OpenSSL binary?
-
You should get it just by upgrading to 2.1-RELEASE. I'm not sure how you would have ended up with a binary that old unless it didn't really update your system somehow.
-
You should get it just by upgrading to 2.1-RELEASE. I'm not sure how you would have ended up with a binary that old unless it didn't really update your system somehow.
That makes two of us.
I'll go ahead with a fresh installation to see if that resolves the issue.
-
Fresh installation solved the problem.
# /usr/local/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013 -
/usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013/usr/local/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013Why is there 2 openssl versions installed??
By default, the first OLD one is used !
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/binIs it a NSA "recommendation"?
-
The FreeBSD base system uses/needs the older one, it is not easily upgraded or replaced. It is current/secure on its line.
Most things will use the newer one, we don't just run "openssl" we use full paths to things (trusting $PATH is bad), and you can check with ldd which version of the library things like OpenVPN will use.
It's not a conspiracy or a problem.
-
anyword on if/when this will be upgraded to 1.01g to deal with this heartbleed bug?
https://www.openssl.org/news/secadv_20140407.txt
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. -
See one of the other dozen threads already open for Heartbleed. Soon.
-
Thanks for the quick response, and sorry for the duplicate.
