NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: Johan de Klerk on April 08, 2014, 11:47:20 PM

Title: Massive security bug in OpenSSL
Post by: Johan de Klerk on April 08, 2014, 11:47:20 PM

Hi,

For everyone that uses OpenSSL:

Massive security bug may leave SA sites vulnerable: http://mybroadband.co.za/news/security/100204-massive-security-bug-may-leave-sa-sites-vulnerable.html

TLS heartbeat read overrun (CVE-2014-0160): https://www.openssl.org/news/secadv_20140407.txt

OpenSSL 1.0.1g is now available, including bug and security fixes: https://www.openssl.org/source/

Regards

Johan de Klerk

Title: Re: Massive security bug in OpenSSL
Post by: Bruce on April 09, 2014, 05:18:30 AM

I have got the new OpenSSL build and will make it available in a NT8 and NT7 build soon. the updated binaries are also attached to this post. NT6 users are not affected as NT6 uses an earlier version of OpenSSL without this bug.


[attachment deleted by admin]

Title: Re: Massive security bug in OpenSSL
Post by: Bruce on April 10, 2014, 04:44:49 AM

Update:

If you are not sure if your site is affected or not you can use;
http://filippo.io/Heartbleed/ (http://filippo.io/Heartbleed/)

Sites built using NetTalk 7.10 and earlier are using older OpenSSL DLL's and so are not affected.

Sites using 7.11 or later are recommended to get the 7.39 update and use the OpenSSL DLL's from there. (Or just download the DLL's directly from my earlier post and place them in the application folder)

Sites built with NT8 are recommended to update to NT8.07 or later, or use the DLL's mentioned above.

Cheers
Bruce

Title: Re: Massive security bug in OpenSSL
Post by: CaseyR on April 11, 2014, 01:57:21 PM

Hi, Bruce

Just to confirm.   I have updated to NT7.39 but I noticed that in the accessories\bin folder that while the OpenSSL.exe and CLANet.dll are dated April 2014,  the ssl dlls are all dated years ago.   It is a reversion to get us over the crisis, right?  There weren't new dll's that somehow did not get installed or not included in the setup archive?

Thanks.

Title: Re: Massive security bug in OpenSSL
Post by: Bruce on April 14, 2014, 12:51:42 AM

Hi Casey,

no, that doesn't sound right. The DLL's should be version 1.0.1g.
I've rebuilt the install, and re-uploaded just to be sure, but as far as I can tell the dll's in the install were indeed 1.0.1g ones.

Note that if the DLL's are in use when you install the update, then you may need to reboot the machine for the install to complete. Usually the install warns you about that though.

Cheers
Bruce

Title: Re: Massive security bug in OpenSSL
Post by: CaseyR on April 14, 2014, 11:11:27 AM

Thanks, Bruce

I downloaded and ran the setup again which fixed the problem.

Title: Re: Massive security bug in OpenSSL
Post by: sstockst on April 16, 2014, 05:51:54 AM

>> If you are not sure if your site is affected or not you can use;
>> http://filippo.io/Heartbleed/

Using NetTalk 4.5.x build from 2011.
Sites using OpenSSL 0.9.8 appear to be timing out using the suggested test sites now.

Is anyone else seeing this issue?
Thanks

Title: Re: Massive security bug in OpenSSL
Post by: Bruce on April 16, 2014, 08:27:30 PM

Hi Steven,

While OpenSSL 0.9.8 might be immune to Heartbleed, that doesn't mean it isn't susceptible to other things. You probably want to update that at some point.

As a general rule it's better to be on later. (Heartbleed is maybe an exception to that logic <g>)

Here's another test URL you can use;
https://www.ssllabs.com/ssltest/index.html

Cheers
Bruce