heartbleed in openresty

vitaly.kosenko

Hello! I am reading about http://heartbleed.com/ and I have debian wheezy with last version of openresty. I don't install openssl manually. I've installed only libssl as in

Prerequisites

vitaly.kosenko · 2014-07-23T17:47:32+00:00

Hello! On Wed, Jul 23, 2014 at 12:57 PM, Aleksey Smart wrote: > I can't use content_by_lua, because it does not available to get http > response statu...

You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled into your system. For Linux, you should also ensure thatldconfig is in your PATH environment.

And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine (I think openresty installs it). It is vulnerable to heartbleed isn't it? How to tell openresty to use other openssl or configure it with -DOPENSSL_NO_HEARTBEATS?

lazy.dogtown

you can test with https://testssl.sh/ locally, but if you have a
recent wheezy and  you shgould be fine; debian backports bugfixes but
doesnt increase the version-number for openssl

this is from my (fixed) debian/7:

[ you@me :~] > openssl version
OpenSSL 1.0.1e 11 Feb 2013

[ you@me :~/testssl.sh] > ./testssl.sh  localhost

#########################################################
testssl.sh v2.1alpha  (https://testssl.sh)
($Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $)


Using "OpenSSL 1.0.1e 11 Feb 2013" [Jun  4 18:39:57 2014]
      on "localhost:/usr/bin/openssl"

Testing now (2014-07-23 14:17) ---> 127.0.0.1:443 (localhost) <---

...

--> Testing specific vulnerabilities

 Heartbleed (CVE-2014-0160), experimental  NOT vulnerable (ok)
 CCS  (CVE-2014-0224), experimental        NOT vulnerable (ok)
 Renegotiation (CVE 2009-3555)             NOT vulnerable (ok)
 CRIME, TLS (CVE-2012-4929)                NOT vulnerable (ok)



2014-07-23 11:47 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
> Hello! I am reading about http://heartbleed.com/ and I have debian wheezy
> with last version of openresty. I don't install openssl manually. I've
> installed only libssl as in
>
> Prerequisites
>
> You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled into your
> system. For Linux, you should also ensure thatldconfig is in your PATH
> environment.
>
> And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine (I
> think openresty installs it). It is vulnerable to heartbleed isn't it? How
> to tell openresty to use other openssl or configure it with
> -DOPENSSL_NO_HEARTBEATS?.

vitaly.kosenko

Okey. A have this one 11 Feb 13

2014-07-23 18:18 GMT+06:00 mex <lazy....@gmail.com>:

you can test with https://testssl.sh/ locally, but if you have a
recent wheezy and you shgould be fine; debian backports bugfixes but
doesnt increase the version-number for openssl

this is from my (fixed) debian/7:

[ you@me :~] > openssl version

OpenSSL 1.0.1e 11 Feb 2013

[ you@me :~/testssl.sh] > ./testssl.sh localhost

#########################################################
testssl.sh v2.1alpha (https://testssl.sh)
($Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $)

Using "OpenSSL 1.0.1e 11 Feb 2013" [Jun 4 18:39:57 2014]
on "localhost:/usr/bin/openssl"

Testing now (2014-07-23 14:17) ---> 127.0.0.1:443 (localhost) <---

...

--> Testing specific vulnerabilities

Heartbleed (CVE-2014-0160), experimental NOT vulnerable (ok)
CCS (CVE-2014-0224), experimental NOT vulnerable (ok)
Renegotiation (CVE 2009-3555) NOT vulnerable (ok)
CRIME, TLS (CVE-2012-4929) NOT vulnerable (ok)

2014-07-23 11:47 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:

> Hello! I am reading about http://heartbleed.com/ and I have debian wheezy
> with last version of openresty. I don't install openssl manually. I've
> installed only libssl as in
>
> Prerequisites
>
> You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled into your
> system. For Linux, you should also ensure thatldconfig is in your PATH
> environment.
>
> And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine (I
> think openresty installs it). It is vulnerable to heartbleed isn't it? How
> to tell openresty to use other openssl or configure it with
> -DOPENSSL_NO_HEARTBEATS?
>
> --
.

lazy.dogtown

check your local system with the testscript i liked in my mail

2014-07-23 14:35 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
> Okey. A have this one 11 Feb 13
>
>
> 2014-07-23 18:18 GMT+06:00 mex <lazy....@gmail.com>:
>>
>> you can test with https://testssl.sh/ locally, but if you have a
>> recent wheezy and  you shgould be fine; debian backports bugfixes but
>> doesnt increase the version-number for openssl
>>
>> this is from my (fixed) debian/7:
>>
>> [ you@me :~] > openssl version
>> OpenSSL 1.0.1e 11 Feb 2013
>>
>> [ you@me :~/testssl.sh] > ./testssl.sh  localhost
>>
>> #########################################################
>> testssl.sh v2.1alpha  (https://testssl.sh)
>> ($Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $)
>>
>>
>> Using "OpenSSL 1.0.1e 11 Feb 2013" [Jun  4 18:39:57 2014]
>>       on "localhost:/usr/bin/openssl"
>>
>> Testing now (2014-07-23 14:17) ---> 127.0.0.1:443 (localhost) <---
>>
>> ...
>>
>> --> Testing specific vulnerabilities
>>
>>  Heartbleed (CVE-2014-0160), experimental  NOT vulnerable (ok)
>>  CCS  (CVE-2014-0224), experimental        NOT vulnerable (ok)
>>  Renegotiation (CVE 2009-3555)             NOT vulnerable (ok)
>>  CRIME, TLS (CVE-2012-4929)                NOT vulnerable (ok)
>>
>>
>>
>> 2014-07-23 11:47 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
>> > Hello! I am reading about http://heartbleed.com/ and I have debian
>> > wheezy
>> > with last version of openresty. I don't install openssl manually. I've
>> > installed only libssl as in
>> >
>> > Prerequisites
>> >
>> > You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled into
>> > your
>> > system. For Linux, you should also ensure thatldconfig is in your PATH
>> > environment.
>> >
>> > And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine (I
>> > think openresty installs it). It is vulnerable to heartbleed isn't it?
>> > How
>> > to tell openresty to use other openssl or configure it with
>> > -DOPENSSL_NO_HEARTBEATS?.

manchev

You could try LibreSSL [1] instead.

Still haven't tested it with OpenResty, but it's on my list for this week.

Also, OpenResty *is not* installing OpenSSL on your system, it's just linked against it.

[1]: http://www.libressl.org

Best,
Vladislav

On Wed, Jul 23, 2014 at 4:15 PM, mex <lazy....@gmail.com> wrote:

check your local system with the testscript i liked in my mail

2014-07-23 14:35 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:

> Okey. A have this one 11 Feb 13
>
>
> 2014-07-23 18:18 GMT+06:00 mex <lazy....@gmail.com>:
>>
>> you can test with https://testssl.sh/ locally, but if you have a
>> recent wheezy and you shgould be fine; debian backports bugfixes but
>> doesnt increase the version-number for openssl
>>
>> this is from my (fixed) debian/7:
>>
>> [ you@me :~] > openssl version
>> OpenSSL 1.0.1e 11 Feb 2013
>>
>> [ you@me :~/testssl.sh] > ./testssl.sh localhost
>>
>> #########################################################
>> testssl.sh v2.1alpha (https://testssl.sh)
>> ($Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $)
>>
>>
>> Using "OpenSSL 1.0.1e 11 Feb 2013" [Jun 4 18:39:57 2014]
>> on "localhost:/usr/bin/openssl"
>>
>> Testing now (2014-07-23 14:17) ---> 127.0.0.1:443 (localhost) <---
>>
>> ...
>>
>> --> Testing specific vulnerabilities
>>
>> Heartbleed (CVE-2014-0160), experimental NOT vulnerable (ok)
>> CCS (CVE-2014-0224), experimental NOT vulnerable (ok)
>> Renegotiation (CVE 2009-3555) NOT vulnerable (ok)
>> CRIME, TLS (CVE-2012-4929) NOT vulnerable (ok)
>>
>>
>>
>> 2014-07-23 11:47 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
>> > Hello! I am reading about http://heartbleed.com/ and I have debian
>> > wheezy
>> > with last version of openresty. I don't install openssl manually. I've
>> > installed only libssl as in
>> >
>> > Prerequisites
>> >
>> > You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled into
>> > your
>> > system. For Linux, you should also ensure thatldconfig is in your PATH
>> > environment.
>> >
>> > And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine (I
>> > think openresty installs it). It is vulnerable to heartbleed isn't it?
>> > How
>> > to tell openresty to use other openssl or configure it with
>> > -DOPENSSL_NO_HEARTBEATS?.

lazy.dogtown

at least with nginx there is no problem using libressl
(but not recommended for production)

http://forum.nginx.org/read.php?2,251718



2014-07-23 18:58 GMT+02:00 Vladislav Manchev <man...@bin.bz>:
> You could try LibreSSL [1] instead.
>
> Still haven't tested it with OpenResty, but it's on my list for this week.
>
> Also, OpenResty *is not* installing OpenSSL on your system, it's just linked
> against it.
>
> [1]: http://www.libressl.org
>
>
> Best,
> Vladislav
>
>
> On Wed, Jul 23, 2014 at 4:15 PM, mex <lazy....@gmail.com> wrote:
>>
>> check your local system with the testscript i liked in my mail
>>
>> 2014-07-23 14:35 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
>> > Okey. A have this one 11 Feb 13
>> >
>> >
>> > 2014-07-23 18:18 GMT+06:00 mex <lazy....@gmail.com>:
>> >>
>> >> you can test with https://testssl.sh/ locally, but if you have a
>> >> recent wheezy and  you shgould be fine; debian backports bugfixes but
>> >> doesnt increase the version-number for openssl
>> >>
>> >> this is from my (fixed) debian/7:
>> >>
>> >> [ you@me :~] > openssl version
>> >> OpenSSL 1.0.1e 11 Feb 2013
>> >>
>> >> [ you@me :~/testssl.sh] > ./testssl.sh  localhost
>> >>
>> >> #########################################################
>> >> testssl.sh v2.1alpha  (https://testssl.sh)
>> >> ($Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $)
>> >>
>> >>
>> >> Using "OpenSSL 1.0.1e 11 Feb 2013" [Jun  4 18:39:57 2014]
>> >>       on "localhost:/usr/bin/openssl"
>> >>
>> >> Testing now (2014-07-23 14:17) ---> 127.0.0.1:443 (localhost) <---
>> >>
>> >> ...
>> >>
>> >> --> Testing specific vulnerabilities
>> >>
>> >>  Heartbleed (CVE-2014-0160), experimental  NOT vulnerable (ok)
>> >>  CCS  (CVE-2014-0224), experimental        NOT vulnerable (ok)
>> >>  Renegotiation (CVE 2009-3555)             NOT vulnerable (ok)
>> >>  CRIME, TLS (CVE-2012-4929)                NOT vulnerable (ok)
>> >>
>> >>
>> >>
>> >> 2014-07-23 11:47 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
>> >> > Hello! I am reading about http://heartbleed.com/ and I have debian
>> >> > wheezy
>> >> > with last version of openresty. I don't install openssl manually.
>> >> > I've
>> >> > installed only libssl as in
>> >> >
>> >> > Prerequisites
>> >> >
>> >> > You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled
>> >> > into
>> >> > your
>> >> > system. For Linux, you should also ensure thatldconfig is in your
>> >> > PATH
>> >> > environment.
>> >> >
>> >> > And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine
>> >> > (I
>> >> > think openresty installs it). It is vulnerable to heartbleed isn't
>> >> > it?
>> >> > How
>> >> > to tell openresty to use other openssl or configure it with
>> >> > -DOPENSSL_NO_HEARTBEATS?.

manchev

Thanks for the heads up!

Recommended or not, I'll have to use it on some servers running OpenBSD because with the next release there will be no OpenSSL ;)

Actually, I would prefer to use LibreSSL elsewhere too as I've been following development and I'm a bit scared to touch OpenSSL.

Will definitely post details in a separate thread after I've done extensive tests.

Best,
Vladislav

On Thu, Jul 24, 2014 at 12:37 PM, mex <lazy....@gmail.com> wrote:

at least with nginx there is no problem using libressl
(but not recommended for production)

http://forum.nginx.org/read.php?2,251718

2014-07-23 18:58 GMT+02:00 Vladislav Manchev <man...@bin.bz>:

> You could try LibreSSL [1] instead.
>
> Still haven't tested it with OpenResty, but it's on my list for this week.
>
> Also, OpenResty *is not* installing OpenSSL on your system, it's just linked
> against it.
>
> [1]: http://www.libressl.org
>
>
> Best,
> Vladislav
>
>
> On Wed, Jul 23, 2014 at 4:15 PM, mex <lazy....@gmail.com> wrote:
>>
>> check your local system with the testscript i liked in my mail
>>
>> 2014-07-23 14:35 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
>> > Okey. A have this one 11 Feb 13
>> >
>> >
>> > 2014-07-23 18:18 GMT+06:00 mex <lazy....@gmail.com>:
>> >>
>> >> you can test with https://testssl.sh/ locally, but if you have a
>> >> recent wheezy and you shgould be fine; debian backports bugfixes but
>> >> doesnt increase the version-number for openssl
>> >>
>> >> this is from my (fixed) debian/7:
>> >>
>> >> [ you@me :~] > openssl version
>> >> OpenSSL 1.0.1e 11 Feb 2013
>> >>
>> >> [ you@me :~/testssl.sh] > ./testssl.sh localhost
>> >>
>> >> #########################################################
>> >> testssl.sh v2.1alpha (https://testssl.sh)
>> >> ($Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $)
>> >>
>> >>
>> >> Using "OpenSSL 1.0.1e 11 Feb 2013" [Jun 4 18:39:57 2014]
>> >> on "localhost:/usr/bin/openssl"
>> >>
>> >> Testing now (2014-07-23 14:17) ---> 127.0.0.1:443 (localhost) <---
>> >>
>> >> ...
>> >>
>> >> --> Testing specific vulnerabilities
>> >>
>> >> Heartbleed (CVE-2014-0160), experimental NOT vulnerable (ok)
>> >> CCS (CVE-2014-0224), experimental NOT vulnerable (ok)
>> >> Renegotiation (CVE 2009-3555) NOT vulnerable (ok)
>> >> CRIME, TLS (CVE-2012-4929) NOT vulnerable (ok)
>> >>
>> >>
>> >>
>> >> 2014-07-23 11:47 GMT+02:00 Vitaly Kosenko <vitaly...@gmail.com>:
>> >> > Hello! I am reading about http://heartbleed.com/ and I have debian
>> >> > wheezy
>> >> > with last version of openresty. I don't install openssl manually.
>> >> > I've
>> >> > installed only libssl as in
>> >> >
>> >> > Prerequisites
>> >> >
>> >> > You should have perl 5.6.1+, libreadline, libpcre, libsslinstalled
>> >> > into
>> >> > your
>> >> > system. For Linux, you should also ensure thatldconfig is in your
>> >> > PATH
>> >> > environment.
>> >> >
>> >> > And there is openssl version OpenSSL 1.0.1e 11 Feb 2013 on my machine
>> >> > (I
>> >> > think openresty installs it). It is vulnerable to heartbleed isn't
>> >> > it?
>> >> > How
>> >> > to tell openresty to use other openssl or configure it with
>> >> > -DOPENSSL_NO_HEARTBEATS?.