SSL HeartBleed Issue

S

Steven

Guest
#1
I need help fixing my SSL on my site.

I updated my ssl to 1.0.1but the heartbleed checker still says my site still have issue

https://ssltools.geotrust.com/checker/views/certCheck.jsp

OpenSSL version
OpenSSL 1.0.1g 7 Apr 2014
openssl version -b
built on: Tue Jul 8 03:58:10 UTC 2014
openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Tue Jul 8 03:58:10 UTC 2014
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/ssl"

I also recompile php in Open Lite Speed but it doesn't seem to help. If you know know to fix it, can you please provide instruction?

My OpenLiteSpeed version is 1.3.3
 

lsmichael

Active Member
#2
Hi Steven,

Are you sure that this is the OpenSSL that OpenLiteSpeed is using? Check you error logs. Right after OpenLiteSpeed starts is should right an entry specifying the version of OpenSSL used:

2014-07-11 17:03:34.003 [NOTICE] Using [OpenSSL 1.0.1h 5 Jun 2014]

You'll need to make sure you update the OpenSSL that OpenLiteSpeed is using.

Cheers,

Michael
 
S

Steven

Guest
#3
It shows older version
Using [OpenSSL 1.0.1e 11 Feb 2013]

How do I update it to use the new version in the system?

Thanks for point this out.

Steven Dang
 
S

Steven

Guest
#5
Thank you for all the help. I'm so newbie to linux and openlitespeed world. If you have a step-by-step instruction on how to do this that would be great. I goggle around and found this

http://open.litespeedtech.com/media...ll:OpenLiteSpeed_with_SPDY_Installation_Notes

I try to follow the instruction and type
./configure --with-openssl=/usr/include/ --enable-spdy
It says "checking whether compiling and linking against OpenSSL works... no"

I did a find on "find . -name ssl.h" and found couple of path that has it. I changed to that path and still getting the same error. Any help is appreciate.
 

lsmichael

Active Member
#6
Hi,

It looks like your OpenSSL 1.0.1g is located at /usr/ssl. Have you tried running ./configure --with-openssl=/usr/ssl when rebuilding LSWS?

Cheers,

Michael
 
S

Steven

Guest
#7
I did try that. It also have the same message
"checking whether compiling and linking against OpenSSL works... no"
 

lsmichael

Active Member
#8
Alright. Something is weird. We think your installation of OpenSSL may have the lib files (libssl.so?) and/or header files (ssl.h) in the "wrong" places (i.e. OpenLiteSpeed isn't finding them where it expects to). We're going to need a little time to reproduce this and figure out how we can make sure it doesn't happen in the future.

For now, though, a workaround would be to do a clean reinstall of OpenSSL in a different location (/usr/ssl2, for example) and then direct OpenLiteSpeed to look for OpenSSL in that location when rebuilding. (Or you can just wait for us to figure this out...)

Cheers,

Michael
 
S

Steven

Guest
#9
I installed new ssl and litespeed was able to recognize it. I did configure, make and make install but then the openssl on server log viewer still not updated.

I see the following line
checking for strtol... yes
Final LDFLAGS='-L/usr/local/ssl/lib64 -L/usr/lib64 -Wl,-rpath,/usr/local/ssl/li b64 -Wl,--export-dynamic'
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile

I'm curious whether it's not replacing because it think the existing one is newer.
 

lsmichael

Active Member
#10
Hi Steven,

Sorry for the long period of silence. For some reason the alert that you had made a post went to my spam box.

Just to make sure, when you're stipulating the path to OpenSSL, you should put the path up to but not including "include". So your config command would look something like ./config --with-openssl=/usr/ (not --with-openssl=/usr/include/).

Also, make sure that the tree that has your OpenSSL version, also has a libssl.so file. So if your ssl.h file is under /usr/ssl2, look for a lib or lib64 directory that has a libssl.so file.

Sorry this is so complicated. Welcome to Linux.

Cheers,

Michael
 
Top