On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:> On Thu, Nov 20, 2014 at 9:31 PM, Damien Miller <djm at mindrot.org> > wrote: > On Wed, 19 Nov 2014, Nico Kadel-Garcia wrote: > >> Use > 6.6p1, or consider patching the check for openssl version in >> > openbsd-compat/openssl-compat.h to ignore the failure, on the basis >> > that RHEL has been backporting patches to openssl for RHEL 5.. > > Do > you understand why that check exists in the first place? > > That's why I asked.Maybe you should ask _before_ recommending people disable checks in their security software.> A bit more digging shows that the HeartBleed bug apparently never > applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so > that shouldn't be an issue there. OpenSSH version 6.6 was indeed, > compatible with that older OpenSSL on RHEL 5, I even just tested its > basic functionalit, so I assume it's not a major API incompatibility > introduced with OpenSSH 6.7p1.It has nothing to do with heartbleed - that is an SSL bug that doesn't affect OpenSSH at all. OpenSSL made a small API change in their 0.9.8 stable series that we previously carried a compat hack for. The impact of not having this hack is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This could cause connection problems or possibly insecurity in sshd. -d
Thanks for the responses. I ended up editing our Openssh install script
so it will check Red Hat versions and install 6.6p1 on Red Hat 5 and 6.7p1
on 6 and 7 systems.
David Flatley
From: Damien Miller <djm at mindrot.org>
To: Nico Kadel-Garcia <nkadel at gmail.com>,
Cc: David Flatley/Burlington/IBM at IBMUS,
"openssh-unix-dev at mindrot.org" <openssh-unix-dev at
mindrot.org>
Date: 11/20/2014 10:19 PM
Subject: Re: Fw: version question
On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:
> On Thu, Nov 20, 2014 at 9:31 PM, Damien Miller <djm at mindrot.org>
> wrote: > On Wed, 19 Nov 2014, Nico Kadel-Garcia wrote: > >> Use
> 6.6p1, or consider patching the check for openssl version in >>
> openbsd-compat/openssl-compat.h to ignore the failure, on the basis
>>
> that RHEL has been backporting patches to openssl for RHEL 5.. > > Do
> you understand why that check exists in the first place?
>
> That's why I asked.
Maybe you should ask _before_ recommending people disable checks in
their security software.
> A bit more digging shows that the HeartBleed bug apparently never
> applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so
> that shouldn't be an issue there. OpenSSH version 6.6 was indeed,
> compatible with that older OpenSSL on RHEL 5, I even just tested its
> basic functionalit, so I assume it's not a major API incompatibility
> introduced with OpenSSH 6.7p1.
It has nothing to do with heartbleed - that is an SSL bug that doesn't
affect OpenSSH at all.
OpenSSL made a small API change in their 0.9.8 stable series that we
previously carried a compat hack for. The impact of not having this hack
is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This
could cause connection problems or possibly insecurity in sshd.
-d
On Thu, Nov 20, 2014 at 10:19 PM, Damien Miller <djm at mindrot.org> wrote:> On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:>> A bit more digging shows that the HeartBleed bug apparently never >> applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so >> that shouldn't be an issue there. OpenSSH version 6.6 was indeed, >> compatible with that older OpenSSL on RHEL 5, I even just tested its >> basic functionalit, so I assume it's not a major API incompatibility >> introduced with OpenSSH 6.7p1. > > It has nothing to do with heartbleed - that is an SSL bug that doesn't > affect OpenSSH at all. > > OpenSSL made a small API change in their 0.9.8 stable series that we > previously carried a compat hack for. The impact of not having this hack > is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This > could cause connection problems or possibly insecurity in sshd.Interesting, and thank you. I'm not sure how I got it built and tested in RHEL 5 without seeing that, I don't have a record of touching configure.ac, but I might have done so in the testing setup. That wasn't evident from the git log for the check in openbsd-compat.h was patched, but that's the *second* check: the one in configure.ac is much better labeled, as well one might expect from a well written check.. I do see openssl 1.0.1 available for RHEL 5 over at ftp://ftp.pramberger.at/systems/linux/contrib/rhel5. Might be worth checking out, if anyone *really* needs OpenSSH 6.7p1 for RHEL 5. As nice as it is of that packer to make, I'd personally want to review the SRPM and build locally, rather than simply deploying from an unfamiliar 3rd party repositor for software as security sensitive as OpenSSL. Personally, if I were David, the original posterr, I'd consider this another reason to upgrade to CentOS 6 or CentOS 7. CentOS 5 is now 7 years old, and this kind of backporting gets more and more painful over time.