recompiling openssl in base system with -DOPENSSL_NO_HEARTBEATS

Matthias Apitz guru at unixarea.de
Sun Apr 13 07:46:52 UTC 2014


El día Sunday, April 13, 2014 a las 09:03:40AM +0200, Matthias Apitz escribió:

> 
> Hello,
> 
> I run a bunch of -CURRENT systems and due to the OpenSSL HEARTBEAT issue
> I want to recompile the libssl.so in the base system with the option
> -DOPENSSL_NO_HEARTBEATS.
> 
> What is the best procedure to do this?

I think the easy way is what I did now:

$ ./heartbleed/heartbleed localhost:631
VULNERABLE!

we have to recompile libssl.so.7

# cd /usr/src/secure/lib/libssl

# vim ../libcrypto/Makefile.inc
added to the line -DOPENSSL_NO_HEARTBEATS as shown here:

# diff ../libcrypto/Makefile.inc*
12c12
< CFLAGS+=      -DTERMIOS -DANSI_SOURCE -DOPENSSL_NO_HEARTBEATS
---
> CFLAGS+=      -DTERMIOS -DANSI_SOURCE

# make
# make install

$ ~/heartbleed/heartbleed localhost:631
NOT VULNERABLE (TLS Heartbeat extension not supported by the server)


-- 
Matthias Apitz               |  /"\   ASCII Ribbon Campaign:
E-mail: guru at unixarea.de     |  \ /   - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ |   X    - No proprietary attachments
phone: +49-170-4527211       |  / \   - Respect for open standards
                             | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign


More information about the freebsd-current mailing list