# Heartbleed - fix

## Joseph_sys

Which program do I upgrade to fix Heartbleed bug?

http://safeweb.norton.com/heartbleed/

 is showing me my server is vulnerable.

I'm using dev-libs/openssl-0.9.8y

----------

## krinn

https://forums.gentoo.org/viewtopic-t-988198.html

----------

## aCOSwt

As your version of openssl is said unaffected, what about testing with another tool ? Or giving us more informations ?

----------

## Joseph_sys

 *aCOSwt wrote:*   

> As your version of openssl is said unaffected, what about testing with another tool ? Or giving us more informations ?

 

What tool should I use?

What other information I can supply?

I was under impression that my server is not effected as I'm using openssl-0.9.8y

Is the http://safeweb.norton.com/heartbleed/

checking my firewall or my server behind firewall? 

My router is using:  DD-WRT v24-sp2

----------

## aCOSwt

Try that one. At least it tells what is going wrong. https://www.ssllabs.com/ssltest/index.html

----------

## Joseph_sys

 *aCOSwt wrote:*   

> Try that one. At least it tells what is going wrong. https://www.ssllabs.com/ssltest/index.html

 

Thanks, after running it on my web-page I got this feedback: *Quote:*   

> Protocol Details
> 
> Secure Renegotiation 	Supported
> 
> Secure Client-Initiated Renegotiation 	No	
> ...

 

I even added to make.conf USE flag "-DOPENSSL_NO_HEARTBEATS" 

but "emerge -uDNavq world" did not pull anything

----------

## Joseph_sys

I'm using apache-2.2.25 

Which file contain setting for: SSLCompression

I'm trying to turn it off.

----------

## Joseph_sys

OK I've turn the compression off in:

40_mod_ssl.conf 

I've added:

SSLCompression off

but I'm still failing on:

Heartbleed 	Yes (more info)

Forward Secrecy 	With some browsers (more info)

----------

## Joseph_sys

It seems to me I made an error.   I was using openSSL-1.0.1f

```
dev-libs/openssl

     Available versions:  

     (0.9.8) 0.9.8y

     (0)    1.0.0j 1.0.1f

       {bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib}

     Installed versions:  0.9.8y(0.9.8)(11:06:09 PM 10/18/2013)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1f(12:57:54 PM 03/21/2014)(sse2 tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla)
```

I've downgraded to: dev-libs/openssl-1.0.0j 

but when I try to restart apache I get an error:

```
* apache2 has detected an error in your setup:

apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: TLSv1_1_client_method

 * ERROR: apache2 failed to stop
```

revdep-rebuild does not help

----------

## Navar

Why not just upgrade and be done with it?

After a sync today,

```

 # glsa-check -tv all

This system is not affected by any of the listed GLSAs

 # equery l apache

 * Searching for apache ...

[IP-] [  ] www-servers/apache-2.2.25:2

 # equery l openssl

 * Searching for openssl ...

[IP-] [  ] dev-libs/openssl-1.0.1g:0

 # uname -r

3.13.6-hardened-r3

```

----------

## TomWij

 *Joseph @ gentoo-user ML wrote:*   

> This is my running server so I try to upgrade backup first before upgrading main server.
> 
> I recompiled 1.0.1f without "tls-heartbeat" and it solved the problem.

 

Can you please consider to avoid cross posting for support simultaneously?

Feel free to point people to the same place; in the future, trying one place after the other work out well.

Whether your problem is fixed is unclear to me; as I now see one place report it as such,

whereas the other seems to suggest there is still a problem...

If it is fixed, can you edit the subject of the first post here to include [SOLVED]?

If it is not fixed, can you check out whether you match Navar's specifications;

as well as confirm that you still experience the problem after that?

Thank you very much in advance.

----------

