Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenSSL v1.0.1f - Hearthbleed Bug

    General pfSense Questions
    7
    9
    10.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      th3r3isnospoon
      last edited by

      Hello everyone,

      I hope this is the correct section for this post (if not, please move, thank you!)

      I just saw news about a new, serious bug in OpenSSL which affects all versions lower than 1.0.1f.

      Here is a link explaining the problem: http://heartbleed.com/

      Here is a link from oss-sec with a fix: http://seclists.org/oss-sec/2014/q2/22

      I believe pfSense 2.1.1 uses OpenSSL 1.0.1f.  Is this something we should be worried about?  If so, are there ways to mitigate this issue?  Are there any plans to upgrade OpenSSL to 1.0.1g?

      Thank you,

      -th3r3isnospoon

      1 Reply Last reply Reply Quote 0
      • F
        Frazze
        last edited by

        This needs to get patched ASAP!!!

        1 Reply Last reply Reply Quote 0
        • D
          drees
          last edited by

          pfSense 2.1.1 ships with OpenSSL 0.9.8 which is not vulnerable and neither are earlier versions of pfSense, either.

          Edit: pfSense 2.1 and 2.1.1 also ship with OpenSSL 1.0.1 which is vulnerable.

          1 Reply Last reply Reply Quote 0
          • T
            th3r3isnospoon
            last edited by

            @drees:

            pfSense 2.1.1 ships with OpenSSL 0.9.8 which is not vulnerable and neither are earlier versions of pfSense, either.

            I can't find the thread where jimp was saying that 2.1.1 is running 1.0.1f (I did read it earlier today before I posted this thread), but, the thread I did find shows that 2.1 is running 1.0.1e.
            https://forum.pfsense.org/index.php?topic=68555.0

            However, when I SSH into my FW, it does show this:

            #openssl version
            #OpenSSL 0.9.8y 5 Feb 2013

            Looks like there are two versions of OpenSSL included with pfSense.  Maybe the vulnerable version is used by OpenVPN?  And the older, stable version is used by racoon for IPSEC tunnels?

            which openssl

            #/usr/local/bin/openssl version
            #OpenSSL 1.0.1f 6 Jan 2014

            Thanks,

            -th3r3isnospoon

            1 Reply Last reply Reply Quote 0
            • M
              magnawave
              last edited by

              If you look what lighthttp and openvpn are linked against, I think its safe to say pfsense is definitely vulnerable.  Due to the messed up way this was released(major boo to the openSSL team for their hamhanded approach), quite a few vendors don't have fixes out yet.  But I hope the pfsense fix comes soon. :-))

              Remember, if you are running a prod site(with ANY SSL exposed to the Internet) and you get the openSSL fix - you need new certs too AFTER you patch or you are possibly vulnerable to someone who already nabbed your private key.  There is no proof there is an exploit out there that does this - but assume there is!

              1 Reply Last reply Reply Quote 0
              • D
                drees
                last edited by

                Yep, you are right. This thread should be merged with this one which covers the same topic:

                Patching/Upgrading OpenSSL

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  https://redmine.pfsense.org/issues/3585

                  Major PITA, beyond updating openssl, you should treat all private keys as completely compromised.  ::) >:(

                  1 Reply Last reply Reply Quote 0
                  • R
                    raclure
                    last edited by

                    Just for info , the website itself seems to be vulnerable:

                    http://filippo.io/Heartbleed/#pfsense.org

                    1 Reply Last reply Reply Quote 0
                    • Cry HavokC
                      Cry Havok
                      last edited by

                      Duplicate of https://forum.pfsense.org/index.php?topic=74796

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.