The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "News:OpenSSL Update"
Line 23: | Line 23: | ||
<code>SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);</code> or <code>SSL_clear_options(ssl, SSL_OP_NO_SSLv2);</code> as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. | <code>SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);</code> or <code>SSL_clear_options(ssl, SSL_OP_NO_SSLv2);</code> as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. | ||
This result in ABI change in OpenSSL (without changing its name and number), and this consequently, if update to openssl happened on your box, require rebuilding of all openssl dependent packages installed. Currently, this can be achieved by using <code>revdep-rebuild</code> tool as shown above. Another automated way of rebuilding all | This result in ABI change in OpenSSL (without changing its name and number), and this consequently, if update to openssl happened on your box, require rebuilding of all openssl dependent packages installed. Currently, this can be achieved by using <code>revdep-rebuild</code> tool as shown above. Another automated way of rebuilding all packages, which is in progress, using <code>sub-slot</code> feature of portage, but this also need changing of all ebuilds dependent on openssl, which has no ETA. |
Revision as of 16:50, March 3, 2016
OpenSSL Update
A security update to openssl available. This fixes following security problems: CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800.
Update to openssl require rebuilding of all openssl dependent packages installed on your box. To perform this, run following command:
root # revdep-rebuild.sh -i -L "libssl\.so.*" -- --exclude=openssl
More details
Important change in openssl-1.0.2g is that vulnerable SSLv2 support is disabled by default:
- Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers.
- Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
This result in ABI change in OpenSSL (without changing its name and number), and this consequently, if update to openssl happened on your box, require rebuilding of all openssl dependent packages installed. Currently, this can be achieved by using revdep-rebuild
tool as shown above. Another automated way of rebuilding all packages, which is in progress, using sub-slot
feature of portage, but this also need changing of all ebuilds dependent on openssl, which has no ETA.