FreeBSD OpenSSL broken
norgaard at locolomo.org
Sun Oct 8 11:09:23 PDT 2006
Girish Venkatachalam wrote:
> I have been seeing scp xfers failing mysteriously with a "Corrupted MAC on input" error. This occurred more or less sporadically but for huge files it was sure to occur. I suspected the ethernet card and got it changed.
> Next, I suspected RAM since I used to get failed compiles saying "internal compiler error" and sefault. This had nothing to do with the other problems since if I issue compile again it used to go thro'.
> And the md5 and sha1 commands never worked. They always used to give corrupted results. Then I just gave up and moved on. I tried installing gentoo on that machine and did a memtest and it went fine.
> Anyway coming to the point, I am running 6.0 FreeBSD.
> I have come across the following cases.
> a) A person in Sweden had trouble with HTTPS and I solved it by reinstalling OpenSSL (check the archives, I think it was more than two months ago)
> b) Recently two persons had severe trouble with OpenSSH
> At last I tried the same medicine I have been prescribing to others and with God's grace :-) , my MD5 and SHA1 started matching...
> I have other machines in LAN running OpenBSD and Debian. I try matching the checksums with those boxes.
> And the only common factor and culprit is ... yes, OpenSSL.
> I urge all of you to make life simpler with this.
> # cd /usr/ports/security/openssl
> #make deinstall (it may fail, no problem :-)
> #make reinstall
> Enjoy guys! :-)
> I might fix the real problem if I get time. Or one of u can too.
> What makes me wonder is how come this problem has gone unnoticed for so long...
Two weeks ago a security advisory regarding FBSD/OpenSSL was announced,
two days later FBSD/OpenSSH. I don't know if this is related to the
problem you describe.
The advisory for OpenSSL is to update your source and build/install
world. Then you must rebuilt all applications that link against OpenSSL
in base. For OpenSSH you only need to rebuild that, but this will be
done in the step above.
If you use OpenSSL/SSH from ports then these may or may not have been
patched, but the result is the same with respect to rebuilding
applications linking against a broken OpenSSL.
Anyway, if you use OpenSSL/SSH from ports then it is NOT FreeBSD OpenSSL
that is broken, it's the port that may be, and then the problem may be
an entirely different one.
Try first switching to OpenSSL/SSH in base, I have no problem with those.
Ph: +34.666334818 web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
More information about the freebsd-questions