50°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • How to test and confirm OpenSSL is updated for Nginx and Ruby on Ubuntu 12.04

    April 8, 2014

    First, a few tools for testing your servers:

    • titanous/heartbleeder (written in Go)
    • FiloSottile/Heartbleed (written in Go)
    • emboss/heartbeat (written in Ruby)

    Nginx

    Run one of these against your HTTPS server:

    ./heartbleeder example.com
    

    Turns out in Ubuntu 12.04, running openssl version will always report "OpenSSL 1.0.1 14 Mar 2012" for all versions of 1.0.1. This makes it more difficult to tell if you've successfully updated.

    Update the system openssl libraries:

    sudo apt-get update
    sudo apt-get upgrade

    Now, you won't be able to check the version number, but you can check the date that openssl was built:

    $ openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr  7 20:33:29 UTC 2014

    Note that unless it has a "built on" date after Apr 7, you've still got a problem.

    Now just restart nginx and run the heartbleed test again and you should be fine.

    Ruby

    Even if you compile Ruby from source, it should be dynamically linked to the system OpenSSL library, so you should be good to go now! However, I would be more confident if I could confirm that Ruby was in fact using the updated library.

    Due to the way Ubuntu OpenSSL works, asking Ruby what OpenSSL version it's using doesn't give us any more helpful information:

    $ ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'
    OpenSSL 1.0.1 14 Mar 2012

    (from @sferik)

    So let's do a little digging:

    • Load up irb
      $ irb
    • Find the full path of openssl.so
      irb(main):001:0> $:.map{|d| Dir[File.join d, "openssl.so"]}.flatten.compact.first
      /usr/local/lib/ruby/2.0.0/x86_64-linux/openssl.so
    • Quit irb
      irb(main):002:0> quit
    • Find the dependencies of Ruby's openssl.so
      $ ldd /usr/local/lib/ruby/2.0.0/x86_64-linux/openssl.so | grep crypto
      libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f3331750000)
      
    • Check the date that libcrypto was built:
      ls -l /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
      -rw-r--r-- 1 root root 1930616 Apr  7 20:37 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0

    You should see that libcrypto.so was built on Apr 7. At this point I can be reasonably sure that Ruby is using the updated OpenSSL library. I would feel much more comfortable if I had a malicious server I could test against. Below are the issues on the three repos above about writing a client-testing tool.

    • github.com/emboss/heartbeat/issues/1
    • github.com/FiloSottile/Heartbleed/issues/35
    • github.com/titanous/heartbleeder/issues/14
    Tue, Apr 8, 2014 3:16pm -07:00 #heartbleed #ops #ubuntu #linux #openssl #ssl
    7 likes 6 reposts 11 replies 2 mentions
    • Kyle Mahan
    • Alejandro Kamochillo
    • Anjunecha
    • Daniel Stark
    • Rob Sullivan
    • kenichi nakamura
    • Reddit Ubuntu
    • Kathy E Gill
    • Jason Wieringa
    • Randy Thornton
    • Aditya Chadha
    • skry
    • Davy Stevenson ✨
    • Alejandro Kamochillo facebook.com/1178940749
      I wonder how such interception affects OpenID sites and stuff. If provider is safe, but the recipient site is broken, does that open up an authorized access to the website for an attacker?
      Wed, Apr 9, 2014 10:17pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      @ac Thanks! Corrected it in the post. (aaron.pk/r4VV1)
      Wed, Apr 9, 2014 11:09am -07:00 (via brid-gy.appspot.com)
    • Aditya Chadha bio.io
      @aaronpk thanks! apt-get upgrade will apply all outstanding upgrades (linux.die.net/man/8/apt-get), btw. it doesn't take parameters.
      Tue, Apr 8, 2014 5:55pm -07:00 (via brid-gy.appspot.com)
    • Matt Biddulph www.hackdiary.com
      @aaronpk makes sense. looks like we are due a new LTS release soon. fridge.ubuntu.com/2014/03/28/ubu…
      Tue, Apr 8, 2014 5:14pm -07:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      @mattb Yeah it seems to be unique to 12.04 LTS. I need to use the LTS version, not willing to upgrade to 13 tho. (aaron.pk/r4VU7)
      Tue, Apr 8, 2014 5:13pm -07:00 (via brid-gy.appspot.com)
    • Matt Biddulph www.hackdiary.com
      @aaronpk it was a quick upgrade because the box just runs nginx and everything else is in docker containers.
      Tue, Apr 8, 2014 5:12pm -07:00 (via brid-gy.appspot.com)
    • Matt Biddulph www.hackdiary.com
      @aaronpk I already upgraded that box to 13.10 in order to upgrade to the fixed version listed in ubuntu.com/usn/usn-2165-1/
      Tue, Apr 8, 2014 5:11pm -07:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      @mattb Are you running Ubuntu 12.04? (aaron.pk/r4VU6)
      Tue, Apr 8, 2014 5:10pm -07:00 (via brid-gy.appspot.com)
    • Matt Biddulph www.hackdiary.com
      @aaronpk on my box I got "OpenSSL 1.0.1e 11 Feb 2013". perhaps you really do have exactly version 1.0.1?
      Tue, Apr 8, 2014 5:10pm -07:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      @mattb Unfortunately that *also* just returns "OpenSSL 1.0.1 14 Mar 2012". Thanks Ubuntu. (aaron.pk/r4VU5)
      Tue, Apr 8, 2014 5:09pm -07:00 (via brid-gy.appspot.com)
    • Matt Biddulph www.hackdiary.com
      @aaronpk you can also do this to get the specific openssl version: strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
      Tue, Apr 8, 2014 5:07pm -07:00 (via brid-gy.appspot.com)

    Other Mentions

    • Aaron Parecki aaronparecki.com
      Several Days of Server Migrations Later
      Tue, Apr 5, 2016 7:02pm -07:00
    • Aaron Parecki aaronparecki.com
      @sferik Yep. I managed to track it down tho: http://aaronparecki.com/articles/2014/04/08/1/ #heartbleed
      Tue, Apr 8, 2014 4:57pm -07:00
Posted in /articles

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv