Re: [openssl-users] OpenSSL and detecting whether bugs have been patched

2015-03-05 Thread Jason Woods 

> On 5 Mar 2015, at 12:23, Salz, Rich  wrote:
>> if (!openssl_is_patched("CVE-2014-0160”)) {
>>   complain_vociferously();
>> }
> 
> That's an interesting idea.  Of course the CVE list would grow, so perhaps 
> arrays of ints are better
>   Int OPENSSL_cve_fixed(int year, int vuln);;
> 
> ?

This feels onerous... I think this would only affect vendors who release their 
own patched versions. OpenSSL team should probably not have to deal with their 
problems; using latest version of upstream OpenSSL you'd be fine to verify the 
version number.
Maybe it's just a case of the vendor (RedHat etc.) should come up with a 
solution - a /usr/share/openssl/heartbleed_fixed file added to the package, or 
a /usr/share/openssl/patchlist file containing list of patches applied. 
Freeradius can then check this based on the distribution's way of dealing with 
it.

Jason
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL and detecting whether bugs have been patched

2015-03-05 Thread Salz, Rich 

> if (!openssl_is_patched("CVE-2014-0160”)) {
>complain_vociferously();
> }

That's an interesting idea.  Of course the CVE list would grow, so perhaps 
arrays of ints are better
Int OPENSSL_cve_fixed(int year, int vuln);;

?

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL and detecting whether bugs have been patched

2015-03-05 Thread Graham Leggett 
Hi all,

I just tried out the most recent version of freeradius (v3.0.7), and it failed 
to start up with the following message:

Thu Mar  5 11:12:33 2015 : Info: Debugger not attached
Thu Mar  5 11:12:33 2015 : Error: Refusing to start with libssl version OpenSSL 
1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 
1.0.1f release)
Thu Mar  5 11:12:33 2015 : Error: Security advisory CVE-2014-0160 (Heartbleed)
Thu Mar  5 11:12:33 2015 : Error: For more information see http://heartbleed.com
Thu Mar  5 11:12:33 2015 : Info: Once you have verified libssl has been 
correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160’

While the idea behind the check is sound (it would be great if people cared 
about this stuff) the implementation is rather crude - all freeradius has to go 
on to implement a check like this is to compare version numbers, and in this 
case the version numbers tell us it is unpatched when in reality this CentOS7 
provided openssl package actually is patched.

Would it be a good idea to add a simple API to the openssl code that define 
whether specific security flaws are patched or not, allowing other software to 
explicitly check for them? A vendor like Redhat then has the chance to patch 
the older version and add the extra detail to indicate that the particular 
vulnerability is patched in this particular version, like this:

int openssl_is_patched(const char *cve);

if (!openssl_is_patched("CVE-2014-0160”)) {
   complain_vociferously();
}

Thoughts? Glaring holes I have not thought of?

Regards,
Graham
—

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users