How to test and confirm OpenSSL is updated for Nginx and Ruby ... • Aaron Parecki

50°F

How to test and confirm OpenSSL is updated for Nginx and Ruby on Ubuntu 12.04

Tue, Apr 8, 2014 3:16pm -07:00
First, a few tools for testing your servers:
- titanous/heartbleeder (written in Go)
- FiloSottile/Heartbleed (written in Go)
- emboss/heartbeat (written in Ruby)
Nginx

Run one of these against your HTTPS server:
```
./heartbleeder example.com
```
Turns out in Ubuntu 12.04, running openssl version will always report "OpenSSL 1.0.1 14 Mar 2012" for all versions of 1.0.1. This makes it more difficult to tell if you've successfully updated.

Update the system openssl libraries:
```
sudo apt-get update
sudo apt-get upgrade
```
Now, you won't be able to check the version number, but you can check the date that openssl was built:
```
$ openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014
```
Note that unless it has a "built on" date after Apr 7, you've still got a problem.

Now just restart nginx and run the heartbleed test again and you should be fine.

Ruby

Even if you compile Ruby from source, it should be dynamically linked to the system OpenSSL library, so you should be good to go now! However, I would be more confident if I could confirm that Ruby was in fact using the updated library.

Due to the way Ubuntu OpenSSL works, asking Ruby what OpenSSL version it's using doesn't give us any more helpful information:
```
$ ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1 14 Mar 2012
```
(from @sferik)

So let's do a little digging:
- Load up irb
  $ irb
- Find the full path of openssl.so
  irb(main):001:0> $:.map{|d| Dir[File.join d, "openssl.so"]}.flatten.compact.first /usr/local/lib/ruby/2.0.0/x86_64-linux/openssl.so
- Quit irb
  irb(main):002:0> quit
- Find the dependencies of Ruby's openssl.so
  $ ldd /usr/local/lib/ruby/2.0.0/x86_64-linux/openssl.so | grep crypto libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f3331750000)
- Check the date that libcrypto was built:
  ls -l /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 -rw-r--r-- 1 root root 1930616 Apr 7 20:37 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
You should see that libcrypto.so was built on Apr 7. At this point I can be reasonably sure that Ruby is using the updated OpenSSL library. I would feel much more comfortable if I had a malicious server I could test against. Below are the issues on the three repos above about writing a client-testing tool.
#heartbleed #ops #ubuntu #linux #openssl #ssl

Tue, Apr 8, 2014 3:16pm -07:00

7 likes 6 reposts 11 replies 2 mentions
Have you written a response to this? Let me know the URL:
- Matt Biddulph www.hackdiary.com
  
  @aaronpk you can also do this to get the specific openssl version: strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
  
  Tue, Apr 8, 2014 5:07pm -07:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  @mattb Unfortunately that *also* just returns "OpenSSL 1.0.1 14 Mar 2012". Thanks Ubuntu. (aaron.pk/r4VU5)
  
  Tue, Apr 8, 2014 5:09pm -07:00 (via brid-gy.appspot.com)
- Matt Biddulph www.hackdiary.com
  
  @aaronpk on my box I got "OpenSSL 1.0.1e 11 Feb 2013". perhaps you really do have exactly version 1.0.1?
  
  Tue, Apr 8, 2014 5:10pm -07:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  @mattb Are you running Ubuntu 12.04? (aaron.pk/r4VU6)
  
  Tue, Apr 8, 2014 5:10pm -07:00 (via brid-gy.appspot.com)
- Matt Biddulph www.hackdiary.com
  
  @aaronpk I already upgraded that box to 13.10 in order to upgrade to the fixed version listed in ubuntu.com/usn/usn-2165-1/
  
  Tue, Apr 8, 2014 5:11pm -07:00 (via brid-gy.appspot.com)
- Matt Biddulph www.hackdiary.com
  
  @aaronpk it was a quick upgrade because the box just runs nginx and everything else is in docker containers.
  
  Tue, Apr 8, 2014 5:12pm -07:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  @mattb Yeah it seems to be unique to 12.04 LTS. I need to use the LTS version, not willing to upgrade to 13 tho. (aaron.pk/r4VU7)
  
  Tue, Apr 8, 2014 5:13pm -07:00 (via brid-gy.appspot.com)
- Matt Biddulph www.hackdiary.com
  
  @aaronpk makes sense. looks like we are due a new LTS release soon. fridge.ubuntu.com/2014/03/28/ubu…
  
  Tue, Apr 8, 2014 5:14pm -07:00 (via brid-gy.appspot.com)
- Aditya Chadha bio.io
  
  @aaronpk thanks! apt-get upgrade will apply all outstanding upgrades (linux.die.net/man/8/apt-get), btw. it doesn't take parameters.
  
  Tue, Apr 8, 2014 5:55pm -07:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  @ac Thanks! Corrected it in the post. (aaron.pk/r4VV1)
  
  Wed, Apr 9, 2014 11:09am -07:00 (via brid-gy.appspot.com)
- Alejandro Kamochillo facebook.com/1178940749
  
  I wonder how such interception affects OpenID sites and stuff. If provider is safe, but the recipient site is broken, does that open up an authorized access to the website for an attacker?
  
  Wed, Apr 9, 2014 10:17pm +00:00 (via brid-gy.appspot.com)
Other Mentions
- Aaron Parecki aaronparecki.com
  
  @sferik Yep. I managed to track it down tho: http://aaronparecki.com/articles/2014/04/08/1/ #heartbleed
  
  Tue, Apr 8, 2014 4:57pm -07:00
- Aaron Parecki aaronparecki.com
  Several Days of Server Migrations Later
  Tue, Apr 5, 2016 7:02pm -07:00

Posted in /articles