From owner-freebsd-current@FreeBSD.ORG Sun Apr 13 07:46:52 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8EC15FF for ; Sun, 13 Apr 2014 07:46:52 +0000 (UTC) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C7CE129F for ; Sun, 13 Apr 2014 07:46:52 +0000 (UTC) Received: from [188.174.51.229] (helo=localhost.my.domain) by ms-10.1blu.de with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1WZF7p-0007Ww-TY for freebsd-current@freebsd.org; Sun, 13 Apr 2014 09:46:50 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.my.domain (8.14.7/8.14.3) with ESMTP id s3D7klES026613 for ; Sun, 13 Apr 2014 09:46:47 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.14.7/8.14.3/Submit) id s3D7kku4026612 for freebsd-current@freebsd.org; Sun, 13 Apr 2014 09:46:47 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Sun, 13 Apr 2014 09:46:46 +0200 From: Matthias Apitz To: freebsd-current@freebsd.org Subject: Re: recompiling openssl in base system with -DOPENSSL_NO_HEARTBEATS Message-ID: <20140413074646.GA26600@La-Habana> References: <20140413070340.GA25589@La-Habana> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20140413070340.GA25589@La-Habana> X-Operating-System: FreeBSD 9.0-CURRENT r214444 (i386) User-Agent: Mutt/1.5.21 (2010-09-15) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 188.174.51.229 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Matthias Apitz List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 07:46:52 -0000 El día Sunday, April 13, 2014 a las 09:03:40AM +0200, Matthias Apitz escribió: > > Hello, > > I run a bunch of -CURRENT systems and due to the OpenSSL HEARTBEAT issue > I want to recompile the libssl.so in the base system with the option > -DOPENSSL_NO_HEARTBEATS. > > What is the best procedure to do this? I think the easy way is what I did now: $ ./heartbleed/heartbleed localhost:631 VULNERABLE! we have to recompile libssl.so.7 # cd /usr/src/secure/lib/libssl # vim ../libcrypto/Makefile.inc added to the line -DOPENSSL_NO_HEARTBEATS as shown here: # diff ../libcrypto/Makefile.inc* 12c12 < CFLAGS+= -DTERMIOS -DANSI_SOURCE -DOPENSSL_NO_HEARTBEATS --- > CFLAGS+= -DTERMIOS -DANSI_SOURCE # make # make install $ ~/heartbleed/heartbleed localhost:631 NOT VULNERABLE (TLS Heartbeat extension not supported by the server) -- Matthias Apitz | /"\ ASCII Ribbon Campaign: E-mail: guru@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign