Some notes which may be of use to other Freebsd Users experiencing similar issues.
1. freebsd-update to get the latest patched version of of the BASE install you are using. This will take care of the libssl which comes with the OS.
2. You must check for other versions of libssl on your machine. Custombuild and DA for example may use Openssl installed from PORTS/packages, which wont be updated when you fix the OS.
You need to interrogate the configuration to see which one apache is using:
Then check which version of OpenSSL that lib comes from :
So, even though
reports a safe version (FreeBSD 9.2 p3) , your httpd/apache is linked to and running with an unsafe version.
3. Resolution is to remove the affected version and update to a newer version.
3.1 I had to deinstall the old package and install the latest port for openssl. (at this time there was not an updated package yet, but ports had an updated one)
NOTE: Doing this on a production machine will make WEB and EMAIL services unavailable until you are done.
Your problem should now be solved.
PS: Thanks to folks at nginx, found some handy hints there :
http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/
1. freebsd-update to get the latest patched version of of the BASE install you are using. This will take care of the libssl which comes with the OS.
2. You must check for other versions of libssl on your machine. Custombuild and DA for example may use Openssl installed from PORTS/packages, which wont be updated when you fix the OS.
Code:
# locate libssl
/usr/lib/dovecot/libssl_iostream_openssl.a
/usr/lib/dovecot/libssl_iostream_openssl.la
/usr/lib/dovecot/libssl_iostream_openssl.so
/usr/lib/libssl.a
/usr/lib/libssl.so
[B]/usr/lib/libssl.so.6[/B] <---- OS version updated with freebsd-update
/usr/lib/libssl_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so
/usr/lib32/libssl.so.6
/usr/lib32/libssl_p.a
/usr/local/lib/libssl.a
/usr/local/lib/libssl.so
[B]/usr/local/lib/libssl.so.8[/B] <------- thirda party version installed from pkg/ports
You need to interrogate the configuration to see which one apache is using:
Code:
# ldd `which httpd` | grep ssl
libssl.so.8 => /usr/local/lib/libssl.so.8 (0x8009a9000)
Then check which version of OpenSSL that lib comes from :
Code:
# strings /usr/local/lib/libssl.so.8 | grep "^OpenSSL "
OpenSSL 1.0.1e 11 Feb 2013
So, even though
Code:
# openssl version
OpenSSL 0.9.8y 5 Feb 2013
reports a safe version (FreeBSD 9.2 p3) , your httpd/apache is linked to and running with an unsafe version.
3. Resolution is to remove the affected version and update to a newer version.
3.1 I had to deinstall the old package and install the latest port for openssl. (at this time there was not an updated package yet, but ports had an updated one)
NOTE: Doing this on a production machine will make WEB and EMAIL services unavailable until you are done.
Code:
#pkg_info | grep ssl
openssl-1.0.1_8 SSL and crypto library
#portsnap fetch extract
....
#pkg_delete openssl-1.0.1_8
# cd /usr/ports/security/openssl/ ; make ; make install
#apachectl stop
#apachectl start
Your problem should now be solved.
PS: Thanks to folks at nginx, found some handy hints there :
http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/
Last edited: