• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenSSL v1.0.1f - Hearthbleed Bug

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 7 Posters 10.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    th3r3isnospoon
    last edited by Apr 7, 2014, 10:28 PM

    Hello everyone,

    I hope this is the correct section for this post (if not, please move, thank you!)

    I just saw news about a new, serious bug in OpenSSL which affects all versions lower than 1.0.1f.

    Here is a link explaining the problem: http://heartbleed.com/

    Here is a link from oss-sec with a fix: http://seclists.org/oss-sec/2014/q2/22

    I believe pfSense 2.1.1 uses OpenSSL 1.0.1f.  Is this something we should be worried about?  If so, are there ways to mitigate this issue?  Are there any plans to upgrade OpenSSL to 1.0.1g?

    Thank you,

    -th3r3isnospoon

    1 Reply Last reply Reply Quote 0
    • F
      Frazze
      last edited by Apr 7, 2014, 11:53 PM

      This needs to get patched ASAP!!!

      1 Reply Last reply Reply Quote 0
      • D
        drees
        last edited by Apr 8, 2014, 4:46 AM Apr 8, 2014, 2:15 AM

        pfSense 2.1.1 ships with OpenSSL 0.9.8 which is not vulnerable and neither are earlier versions of pfSense, either.

        Edit: pfSense 2.1 and 2.1.1 also ship with OpenSSL 1.0.1 which is vulnerable.

        1 Reply Last reply Reply Quote 0
        • T
          th3r3isnospoon
          last edited by Apr 8, 2014, 2:39 AM Apr 8, 2014, 2:33 AM

          @drees:

          pfSense 2.1.1 ships with OpenSSL 0.9.8 which is not vulnerable and neither are earlier versions of pfSense, either.

          I can't find the thread where jimp was saying that 2.1.1 is running 1.0.1f (I did read it earlier today before I posted this thread), but, the thread I did find shows that 2.1 is running 1.0.1e.
          https://forum.pfsense.org/index.php?topic=68555.0

          However, when I SSH into my FW, it does show this:

          #openssl version
          #OpenSSL 0.9.8y 5 Feb 2013

          Looks like there are two versions of OpenSSL included with pfSense.  Maybe the vulnerable version is used by OpenVPN?  And the older, stable version is used by racoon for IPSEC tunnels?

          which openssl

          #/usr/local/bin/openssl version
          #OpenSSL 1.0.1f 6 Jan 2014

          Thanks,

          -th3r3isnospoon

          1 Reply Last reply Reply Quote 0
          • M
            magnawave
            last edited by Apr 8, 2014, 4:15 AM

            If you look what lighthttp and openvpn are linked against, I think its safe to say pfsense is definitely vulnerable.  Due to the messed up way this was released(major boo to the openSSL team for their hamhanded approach), quite a few vendors don't have fixes out yet.  But I hope the pfsense fix comes soon. :-))

            Remember, if you are running a prod site(with ANY SSL exposed to the Internet) and you get the openSSL fix - you need new certs too AFTER you patch or you are possibly vulnerable to someone who already nabbed your private key.  There is no proof there is an exploit out there that does this - but assume there is!

            1 Reply Last reply Reply Quote 0
            • D
              drees
              last edited by Apr 8, 2014, 4:45 AM

              Yep, you are right. This thread should be merged with this one which covers the same topic:

              Patching/Upgrading OpenSSL

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by Apr 8, 2014, 9:43 AM

                https://redmine.pfsense.org/issues/3585

                Major PITA, beyond updating openssl, you should treat all private keys as completely compromised.  ::) >:(

                1 Reply Last reply Reply Quote 0
                • R
                  raclure
                  last edited by Apr 8, 2014, 11:39 AM

                  Just for info , the website itself seems to be vulnerable:

                  http://filippo.io/Heartbleed/#pfsense.org

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cry Havok
                    last edited by Apr 8, 2014, 1:19 PM

                    Duplicate of https://forum.pfsense.org/index.php?topic=74796

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received