J.Lance, On 4/18/14, 2:55 PM, J.Lance Wilkinson wrote: > Christopher Schultz wrote: > ...snip... >> >> I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an >> update available to 1.0.1g (I haven't read the changelogs but I'll bet >> the difference is mostly the version-bump since everyone is paranoid >> about 1.0.1e, now). I'll see if that changes anything. > > Chris, > What OS are you running? RHEL6? Something like that. It's "Amazon Linux" which is RHEL-compatible. > If so, then you actually do have the patched version EQUIVALENT to 1.0.1g, > so my local Linux guru tells me. > > On RHEL6, I get: > % openssl version > OpenSSL 1.0.1e-fips 11 Feb 2013 > > BUT, I also get: > ~% rpm -q openssl > openssl-1.0.1e-16.el6_5.7.x86_64 > > > RedHat, he tells me, does not distribute the new version but actually > weng back and applied the relevant patches TO THEIR DISTRIBUTED > VERSION. Note the -16. > That's the indicator. Yes, I'm aware. Amazon released another update that brings the version explicitly up to 1.0.1g. I am aware that I saw safe from Heartbleed even with the older version. > It seems that RedHat thinks they know better than we. The difference is that the patched 1.0.1e had only the security patch for Heartbleed. I suspect that the difference between 1.0.1e and 1.0.1g directly from OpenSSL includes more changes than just the Heartbleed patch. This is how most distros work: they back-port only the patches that are appropriate instead of always including version.current for their updates. Anyhow, it seems you've strayed off-topic because this isn't about which is more appropriate -- 1.0.1e or 1.0.1g... it's about why I can't seem to get httpd 2.2.26 to use ECDHE ciphers. I suspect it has something to do with Amazon's build process even though the libraries are dynamically-linked. Perhaps httpd was built against 1.0.0 so does not include certain capabilities even though 1.0.1g is available at run-time. -chris
Attachment:
signature.asc
Description: OpenPGP digital signature
|