1

I am creating a test server that is vulnerable to the heartbleed bug.

My server is running Apache 2.4 on a FreeBSD VM. By default, FreeBSD seems to have OpenSSL 0.9.8 installed by default. I tried to uninstall OpenSSL from the ports, but since I didn't install it via ports( came by default ) I could not uninstall it that way.

Then I tried to just ignore it and installed OpenSSL 1.0.1 from source; but when I restarted the apache server, and checked the site using curl --head 127.0.0.1 "OpenSSL 0.9.8" was displayed.

Then I tried to reinstall/reconfigure apache but the same test yielded "OpenSSL 0.9.8".

So, I tried to replace the default OpenSSL like so:
- installed a newer OpenSSL via ports( in an attempt to replace the default version )
- make uninstall-ed the port-installed OpenSSL( in an attempt to erase the default OpenSSL completely )
- with my source-install the only one left, I figured that this had to have changed it
- the test still yielded "OpenSSL 0.9.8"( sadness )

So, why is it still displaying "OpenSSL 0.9.8"?

I also want to change the website to use OpenSSL 1.0.1, so advice on that would be helpful.

user2738698
  • 221
  • 3
  • 6
  • 1
    OpenSSL 1.0.1 is open to the very severe heartbleed bug. If you want to test against this bug, fine. If not, consider using 1.0.1g or disabling heartbeats. – Travis Pessetto Apr 17 '14 at 20:07
  • 1
    Yeah, I am specifically creating a test server that *IS* vulnerable to heartbleed-ing. – user2738698 Apr 17 '14 at 20:09
  • I would start by doing something like ```find / -name openssl``` and deleting any folders that are obviously linked to openssl. You also may need to delete mod_ssl from Apache. From there, I would compile the new version from source. – Travis Pessetto Apr 17 '14 at 20:14
  • This post may be of some help too: http://stackoverflow.com/questions/1439950/whats-the-opposite-of-make-install-ie-how-do-you-uninstall-a-library-in-lin. – Travis Pessetto Apr 17 '14 at 20:21
  • If you are planning to build a vulnerable FreeBSD test system, you should go for a base FreeBSD 10.0: OpenSSL 1.0.1e with the base system. Or have a look here: [superuser: about reinstalling openssl on FreeBSD](http://superuser.com/questions/742991/how-to-reinstall-an-intermediary-version-from-source). – Ouki Apr 18 '14 at 00:32
  • Your `Apache` and `mod_ssl` were built against the *system* openssl (e.g. `/usr/include/openssl`). You will want to build against the *ports* OpenSSL. – Stefan Lasiewski Apr 18 '14 at 00:49
  • The comments here are a bit misleading. FreeBSD, like most distros in the last week, released a fix for vulnerable versions of OpenSSL 1.0.1 (See https://www.freshports.org/security/openssl/ ). They also patched FreeBSD 10, see http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc – Stefan Lasiewski Apr 18 '14 at 00:55

2 Answers2

5

The missing step is that you must say to the system that you want to use OpenSSL from ports over the one from the base system:

  • build OpenSSL from ports:

  • create/add to your /etc/make.conf the following line:

    WITH_OPENSSL_PORT=yes

  • then re-install all the other modules needing OpenSSL (devel/apr1, www/apache24, ...)

  • you can check the OpenSSL lib used by apache24 (in fact the apache24 mod_ssl module):

    # ldd /usr/local/libexec/apache24/mod_ssl.so |grep ssl 
/usr/local/libexec/apache24/mod_ssl.so:
        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x801634000)

    The apache24 mod_ssl is now using the OpenSSL library from the ports.

Ouki
  • 1,417
  • 1
  • 12
  • 16
  • 1
    It's actually "WITH_OPENSSL_PORT=yes". See https://www.freebsd.org/doc/en/books/handbook/openssl.html – northox Feb 22 '15 at 14:47
  • 1
    Please note that "WITH_OPENSSL_PORT=yes" has been deprecated and that the "DEFAULT_VERSIONS+=ssl=openssl" mechanism should be used instead. – Egon Olieux Dec 29 '16 at 20:56
1

Compiling OpenSSL will not help you much. Your Apache is still linked with the old OpenSSL. You can verify this using the ldd command.

You should recompile Apache or mod_ssl for it to be linked to your new OpenSSL.

Spack
  • 1,604
  • 15
  • 22