openSSL heartbleed vulnerability

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

nieroster
Posts: 27
Joined: Sun Apr 14, 2013 10:56 am

openSSL heartbleed vulnerability

Post by nieroster »

I suppose https access and the openVPN connections are affected by the bug. While I do not use https acces I use openVPN on my router.

In the openVPN support forum they say: "Client/server connections that utilize TLS auth, and the keys have been kept secure, are also safe, as they prevent a needed MITM attack needed to compromise the connection." So it seems that it is safe to continue using openVPN as Gargoyle uses TLS-auth.

I hope I am correct.

nieroster

maxslug
Posts: 9
Joined: Fri Nov 15, 2013 6:45 pm

Re: openSSL heartbleed vulnerability

Post by maxslug »

I would assume that you need to fix the openssl on the router and regenerate keys for openVPN. I'm not sure what you quoted means.

You can add stunnel to the list of services that might be on your Gargoyle router that need to have openSSL updated and certificates regenerated.

Does anyone have a description on how to get a newer openSSL onto Gargoyle? Otherwise I'm going with this : https://forum.openwrt.org/viewtopic.php?id=49958

-m

maxslug
Posts: 9
Joined: Fri Nov 15, 2013 6:45 pm

Re: openSSL heartbleed vulnerability

Post by maxslug »

OK, I can't find a way to do this.

  1. gpkg has a bug so that you can't install local .ipk files. viewtopic.php?f=6&t=5387
  2. I tried changing opkg.conf to point to trunk of openwrt

    Code: Select all

    src/gz attitude_adjustment http://dowloads.openwrt.org/snapshots/trunk/ar71xx/packages

    Code: Select all

    opkg update
    opkg upgrade libopenssl
  3. Code: Select all

    opkg info libopenssl
    shows the newer one but tells me i have the latest version updated.
  4. I force removed the old one and now it tells me :

    Code: Select all

    # opkg install libopenssl
    ERROR: No package named libopenssl found, try updating your package lists
    # opkg update
    Downloading package list for attitude_adjustment source...
    Package list for attitude_adjustment downloaded successfully.
    # opkg install libopenssl
    ERROR: No package named libopenssl found, try updating your package lists

Summary: gpkg is borked and I can't find a good way of getting a newer version of openssl onto Gargoyle. Do I have to install gcc and compile openssl? Is the router capable of that? If not, do I have to cross-compile? errg.

thanks in advance,
-m

tapper
Moderator
Posts: 1071
Joined: Sun Oct 13, 2013 5:49 pm
Location: Stoke-on-trent UK

Re: openSSL heartbleed vulnerability

Post by tapper »

Hi a update will be on it's way soon! the pach is here.
http://www.gargoyle-router.com/gargoyle ... b693e461e9
Linksys WRT1900AC V2 Gargoyle 1.11
Linksys WRT3200ACM OpenWrt Snapshot

maxslug
Posts: 9
Joined: Fri Nov 15, 2013 6:45 pm

Re: openSSL heartbleed vulnerability

Post by maxslug »

tapper wrote:Hi a update will be on it's way soon! the pach is here.
http://www.gargoyle-router.com/gargoyle ... b693e461e9


excellent, thanks.

maxslug
Posts: 9
Joined: Fri Nov 15, 2013 6:45 pm

Re: openSSL heartbleed vulnerability

Post by maxslug »

Hi Tapper,

I'm seeing the update now :

Code: Select all

#opkg update
# opkg info libopenssl
Package: libopenssl
Version: 1.0.1e-1
User-Installed: true
Install-Destination: root
Source: package/openssl
Size: 629511
Maintainer: OpenWrt Developers Team <openwrt-devel@openwrt.org>
Installed-Size: 639779
MD5Sum: 9d933b0a737334984ae5c7170e5193be
Link-Destination:
Installed-Time: 1397097306
Provides:
Description: The OpenSSL Project is a collaborative effort to develop a robust,
             commercial-grade, full-featured, and Open Source toolkit implementing the Secure
             Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
             as a full-strength general purpose cryptography library.
             This package contains the OpenSSL shared libraries, needed by other programs.
Essential: no
Architecture: ar71xx
Source-ID: gargoyle
Section: libs
Filename: libopenssl_1.0.1e-1_ar71xx.ipk
Priority: optional
Status: install user installed
Depends: libc, zlib

Package: libopenssl
Version: 1.0.1g-1
User-Installed: false
Install-Destination: Not Installed
Source: package/openssl
Size: 632882
Maintainer: OpenWrt Developers Team <openwrt-devel@openwrt.org>
Installed-Size: 640107
MD5Sum: aef2396afb2668e7feed5b9c9874258a
Provides:
Description: The OpenSSL Project is a collaborative effort to develop a robust,
             commercial-grade, full-featured, and Open Source toolkit implementing the Secure
             Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
             as a full-strength general purpose cryptography library.
             This package contains the OpenSSL shared libraries, needed by other programs.
Essential: no
Architecture: ar71xx
Source-ID: attitude_adjustment
Section: libs
Filename: libopenssl_1.0.1g-1_ar71xx.ipk
Priority: optional
Status: unknown ok not-installed
Depends: libc, zlib


But I still cannot get opkg/gpkg to update to it!

Code: Select all

# opkg upgrade libopenssl
ERROR: package libopenssl is already the latest version (1.0.1e-1)


Ideas?

Thanks!
-m

tapper
Moderator
Posts: 1071
Joined: Sun Oct 13, 2013 5:49 pm
Location: Stoke-on-trent UK

Re: openSSL heartbleed vulnerability

Post by tapper »

Hi there mate. I am having the same thing and i think there is a bug with opkg. I think we will have to wate for a new bin from eric.
Linksys WRT1900AC V2 Gargoyle 1.11
Linksys WRT3200ACM OpenWrt Snapshot

eramseth
Posts: 18
Joined: Wed Nov 23, 2011 1:28 pm

Re: openSSL heartbleed vulnerability

Post by eramseth »

yeah there seems to be an error in gpkg preventing it from working right.

in the meantime you can use the experimental build here: viewtopic.php?f=14&t=5533

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: openSSL heartbleed vulnerability

Post by throughwalls »

It would be great to figure out a work around which allows command line updating of the packages. I get the following error.

# opkg install libopenssl_1.0.1g-1_ar71xx.ipk
ERROR: Specified install destination is not writable, exiting


Is this because openssl is located in ROM?

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: openSSL heartbleed vulnerability

Post by throughwalls »

http://arstechnica.com/security/2014/04 ... -keys-too/ is an interesting update on OpenVPN leakage.

One bright spot for some smaller organizations using OpenVPN is that the exploit won't work against systems that have TLS authentication enabled as long as all the end users connecting are trusted. That's because TLS authentication uses a separate private key to encrypt and authenticate the TLS traffic.


In looking though the server config files, it appears it is using a TLS-auth certificate. Can anyone who understands OpenVPN confirm this is true for the gargoyle generated config?

Post Reply