Page 1 of 2
openSSL heartbleed vulnerability
Posted: Wed Apr 09, 2014 4:57 am
by nieroster
I suppose https access and the openVPN connections are affected by the bug. While I do not use https acces I use openVPN on my router.
In the openVPN support forum they say: "Client/server connections that utilize TLS auth, and the keys have been kept secure, are also safe, as they prevent a needed MITM attack needed to compromise the connection." So it seems that it is safe to continue using openVPN as Gargoyle uses TLS-auth.
I hope I am correct.
nieroster
Re: openSSL heartbleed vulnerability
Posted: Wed Apr 09, 2014 9:43 pm
by maxslug
I would assume that you need to fix the openssl on the router and regenerate keys for openVPN. I'm not sure what you quoted means.
You can add stunnel to the list of services that might be on your Gargoyle router that need to have openSSL updated and certificates regenerated.
Does anyone have a description on how to get a newer openSSL onto Gargoyle? Otherwise I'm going with this :
https://forum.openwrt.org/viewtopic.php?id=49958
-m
Re: openSSL heartbleed vulnerability
Posted: Wed Apr 09, 2014 10:32 pm
by maxslug
OK, I can't find a way to do this.
- gpkg has a bug so that you can't install local .ipk files. http://www.gargoyle-router.com/phpbb/vi ... f=6&t=5387
- I tried changing opkg.conf to point to trunk of openwrt
Code: Select all
src/gz attitude_adjustment http://dowloads.openwrt.org/snapshots/trunk/ar71xx/packages
Code: Select all
opkg update
opkg upgrade libopenssl
- shows the newer one but tells me i have the latest version updated.
- I force removed the old one and now it tells me :
Code: Select all
# opkg install libopenssl
ERROR: No package named libopenssl found, try updating your package lists
# opkg update
Downloading package list for attitude_adjustment source...
Package list for attitude_adjustment downloaded successfully.
# opkg install libopenssl
ERROR: No package named libopenssl found, try updating your package lists
Summary: gpkg is borked and I can't find a good way of getting a newer version of openssl onto Gargoyle. Do I have to install gcc and compile openssl? Is the router capable of that? If not, do I have to cross-compile? errg.
thanks in advance,
-m
Re: openSSL heartbleed vulnerability
Posted: Thu Apr 10, 2014 1:40 am
by tapper
Hi a update will be on it's way soon! the pach is here.
http://www.gargoyle-router.com/gargoyle ... b693e461e9
Re: openSSL heartbleed vulnerability
Posted: Thu Apr 10, 2014 12:24 pm
by maxslug
Re: openSSL heartbleed vulnerability
Posted: Sat Apr 12, 2014 12:35 am
by maxslug
Hi Tapper,
I'm seeing the update now :
Code: Select all
#opkg update
# opkg info libopenssl
Package: libopenssl
Version: 1.0.1e-1
User-Installed: true
Install-Destination: root
Source: package/openssl
Size: 629511
Maintainer: OpenWrt Developers Team <openwrt-devel@openwrt.org>
Installed-Size: 639779
MD5Sum: 9d933b0a737334984ae5c7170e5193be
Link-Destination:
Installed-Time: 1397097306
Provides:
Description: The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
as a full-strength general purpose cryptography library.
This package contains the OpenSSL shared libraries, needed by other programs.
Essential: no
Architecture: ar71xx
Source-ID: gargoyle
Section: libs
Filename: libopenssl_1.0.1e-1_ar71xx.ipk
Priority: optional
Status: install user installed
Depends: libc, zlib
Package: libopenssl
Version: 1.0.1g-1
User-Installed: false
Install-Destination: Not Installed
Source: package/openssl
Size: 632882
Maintainer: OpenWrt Developers Team <openwrt-devel@openwrt.org>
Installed-Size: 640107
MD5Sum: aef2396afb2668e7feed5b9c9874258a
Provides:
Description: The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
as a full-strength general purpose cryptography library.
This package contains the OpenSSL shared libraries, needed by other programs.
Essential: no
Architecture: ar71xx
Source-ID: attitude_adjustment
Section: libs
Filename: libopenssl_1.0.1g-1_ar71xx.ipk
Priority: optional
Status: unknown ok not-installed
Depends: libc, zlib
But I still cannot get opkg/gpkg to update to it!
Code: Select all
# opkg upgrade libopenssl
ERROR: package libopenssl is already the latest version (1.0.1e-1)
Ideas?
Thanks!
-m
Re: openSSL heartbleed vulnerability
Posted: Sat Apr 12, 2014 2:44 am
by tapper
Hi there mate. I am having the same thing and i think there is a bug with opkg. I think we will have to wate for a new bin from eric.
Re: openSSL heartbleed vulnerability
Posted: Sat Apr 12, 2014 11:27 am
by eramseth
yeah there seems to be an error in gpkg preventing it from working right.
in the meantime you can use the experimental build here:
http://www.gargoyle-router.com/phpbb/vi ... =14&t=5533
Re: openSSL heartbleed vulnerability
Posted: Tue Apr 15, 2014 11:07 am
by throughwalls
It would be great to figure out a work around which allows command line updating of the packages. I get the following error.
# opkg install libopenssl_1.0.1g-1_ar71xx.ipk
ERROR: Specified install destination is not writable, exiting
Is this because openssl is located in ROM?
Re: openSSL heartbleed vulnerability
Posted: Thu Apr 17, 2014 10:05 am
by throughwalls
http://arstechnica.com/security/2014/04 ... -keys-too/ is an interesting update on OpenVPN leakage.
One bright spot for some smaller organizations using OpenVPN is that the exploit won't work against systems that have TLS authentication enabled as long as all the end users connecting are trusted. That's because TLS authentication uses a separate private key to encrypt and authenticate the TLS traffic.
In looking though the server config files, it appears it is using a TLS-auth certificate. Can anyone who understands OpenVPN confirm this is true for the gargoyle generated config?