openSSL heartbleed vulnerability

[nieroster]

I suppose https access and the openVPN connections are affected by the bug. While I do not use https acces I use openVPN on my router.

In the openVPN support forum they say: "Client/server connections that utilize TLS auth, and the keys have been kept secure, are also safe, as they prevent a needed MITM attack needed to compromise the connection." So it seems that it is safe to continue using openVPN as Gargoyle uses TLS-auth.

I hope I am correct.

nieroster

[maxslug]

I would assume that you need to fix the openssl on the router and regenerate keys for openVPN. I'm not sure what you quoted means.

You can add stunnel to the list of services that might be on your Gargoyle router that need to have openSSL updated and certificates regenerated.

Does anyone have a description on how to get a newer openSSL onto Gargoyle? Otherwise I'm going with this : https://forum.openwrt.org/viewtopic.php?id=49958

-m

[maxslug]

OK, I can't find a way to do this.

1. gpkg has a bug so that you can't install local .ipk files. http://www.gargoyle-router.com/phpbb/vi ... f=6&t=5387
2. I tried changing opkg.conf to point to trunk of openwrt

   Code: Select all

   src/gz attitude_adjustment http://dowloads.openwrt.org/snapshots/trunk/ar71xx/packages

   Code: Select all

   opkg update
   opkg upgrade libopenssl
   

3. Code: Select all

   opkg info libopenssl

   shows the newer one but tells me i have the latest version updated.
4. I force removed the old one and now it tells me :

   Code: Select all

   # opkg install libopenssl
   ERROR: No package named libopenssl found, try updating your package lists
   # opkg update
   Downloading package list for attitude_adjustment source...
   Package list for attitude_adjustment downloaded successfully.
   # opkg install libopenssl
   ERROR: No package named libopenssl found, try updating your package lists

Summary: gpkg is borked and I can't find a good way of getting a newer version of openssl onto Gargoyle. Do I have to install gcc and compile openssl? Is the router capable of that? If not, do I have to cross-compile? errg.

thanks in advance,
-m

[tapper]

Hi a update will be on it's way soon! the pach is here.
http://www.gargoyle-router.com/gargoyle ... b693e461e9

[maxslug]

Hi a update will be on it's way soon! the pach is here.
http://www.gargoyle-router.com/gargoyle ... b693e461e9

excellent, thanks.

[maxslug]

Hi Tapper,

I'm seeing the update now :

Code: Select all

#opkg update
# opkg info libopenssl
Package: libopenssl
Version: 1.0.1e-1
User-Installed: true
Install-Destination: root
Source: package/openssl
Size: 629511
Maintainer: OpenWrt Developers Team <openwrt-devel@openwrt.org>
Installed-Size: 639779
MD5Sum: 9d933b0a737334984ae5c7170e5193be
Link-Destination: 
Installed-Time: 1397097306
Provides: 
Description: The OpenSSL Project is a collaborative effort to develop a robust,
             commercial-grade, full-featured, and Open Source toolkit implementing the Secure
             Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
             as a full-strength general purpose cryptography library.
             This package contains the OpenSSL shared libraries, needed by other programs.
Essential: no
Architecture: ar71xx
Source-ID: gargoyle
Section: libs
Filename: libopenssl_1.0.1e-1_ar71xx.ipk
Priority: optional
Status: install user installed
Depends: libc, zlib

Package: libopenssl
Version: 1.0.1g-1
User-Installed: false
Install-Destination: Not Installed
Source: package/openssl
Size: 632882
Maintainer: OpenWrt Developers Team <openwrt-devel@openwrt.org>
Installed-Size: 640107
MD5Sum: aef2396afb2668e7feed5b9c9874258a
Provides: 
Description: The OpenSSL Project is a collaborative effort to develop a robust,
             commercial-grade, full-featured, and Open Source toolkit implementing the Secure
             Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
             as a full-strength general purpose cryptography library.
             This package contains the OpenSSL shared libraries, needed by other programs.
Essential: no
Architecture: ar71xx
Source-ID: attitude_adjustment
Section: libs
Filename: libopenssl_1.0.1g-1_ar71xx.ipk
Priority: optional
Status: unknown ok not-installed
Depends: libc, zlib

But I still cannot get opkg/gpkg to update to it!

Code: Select all

# opkg upgrade libopenssl
ERROR: package libopenssl is already the latest version (1.0.1e-1)

Ideas?

Thanks!
-m

[tapper]

Hi there mate. I am having the same thing and i think there is a bug with opkg. I think we will have to wate for a new bin from eric.

[eramseth]

yeah there seems to be an error in gpkg preventing it from working right.

in the meantime you can use the experimental build here: http://www.gargoyle-router.com/phpbb/vi ... =14&t=5533

[throughwalls]

It would be great to figure out a work around which allows command line updating of the packages. I get the following error.

# opkg install libopenssl_1.0.1g-1_ar71xx.ipk
ERROR: Specified install destination is not writable, exiting

Is this because openssl is located in ROM?

[throughwalls]

http://arstechnica.com/security/2014/04 ... -keys-too/ is an interesting update on OpenVPN leakage.

One bright spot for some smaller organizations using OpenVPN is that the exploit won't work against systems that have TLS authentication enabled as long as all the end users connecting are trusted. That's because TLS authentication uses a separate private key to encrypt and authenticate the TLS traffic.

In looking though the server config files, it appears it is using a TLS-auth certificate. Can anyone who understands OpenVPN confirm this is true for the gargoyle generated config?