Pages:
Author

Topic: Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL - page 2. (Read 66048 times)

newbie
Activity: 1
Merit: 0
Thanks a lot for giving us info to us because any info from u is validate
For us and it very better for us . good for us
full member
Activity: 141
Merit: 100
legendary
Activity: 1106
Merit: 1026
ubuntu 14.04
Quote
affected?
same OS, my version is:
Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?
well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.

I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?
All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.
Oh, that is just beautiful.
We're working on a 0.9.5 (and 0.10 of course) that will softfork to make us independent of OpenSSL so this can never happen again.
See sipa's proposal at http://www.mail-archive.com/[email protected]/msg06744.html
Yeah, I already know about this. Good work, guys. (Yes - you too, Luke - even though i really hate your Gentoo patches).
legendary
Activity: 2576
Merit: 1186
New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?
All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.
Oh, that is just beautiful.
We're working on a 0.9.5 (and 0.10 of course) that will softfork to make us independent of OpenSSL so this can never happen again.
See sipa's proposal at http://www.mail-archive.com/[email protected]/msg06744.html
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?
All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.
Oh, that is just beautiful.
legendary
Activity: 2576
Merit: 1186
New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?
All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?
hero member
Activity: 882
Merit: 1006
I'm using 1.0.1h.

Is this version OK?
It's still finishing up syncing and hasn't stuck yet.
legendary
Activity: 924
Merit: 1132
The problem is that we are using the current version of SSL (whatever's on the system/linked) to check the validity of blocks that were accepted with past versions of SSL.  

This is why the makefile for bitcoind specified static linking in the first place.

I am ... upset.  We should be using current versions of SSL for communications, because SSL gets valuable security upgrades.  But we should be using it for protocol only, because checking past blocks with a version that was not the version which governed their acceptance  risks exactly this sort of divergence.  Our need for SSL as a communications protocol does not affect the validity of data already transmitted.  

SSL will continue to change, and those changes cannot be allowed to affect data already transmitted and received, nor our software's opinion about whether that already-accepted data is valid.  Neither our stored blockchain data nor our ability to check our stored data should have anything to do with it.

Our need for cryptographic functions once a block is accepted are different, and absolutely NOT subject to revision.  That is, whatever's required to CHECK blockchain validity absolutely must not be something that can be altered by any change in a system library.  

I presume that SSL will continue to "tighten" its spec - that is, whatever is acceptable to future versions will also be acceptable to past versions. Therefore using routines from a three-year-old version of SSL to check data transmitted and received using the current version of SSL ought never fail, and using the current version for communications should get us the benefit of security fixes.  Updated routines can be compiled into the client NO SOONER THAN they are known to work with the entire current blockchain.


Cryddit


sr. member
Activity: 658
Merit: 250
I thought OpenSSL has always been a joke...right?

A joke on which a lot of the internet relies on.
full member
Activity: 140
Merit: 101
I thought OpenSSL has always been a joke...right?
legendary
Activity: 1632
Merit: 1010
Kind of makes me glad I haven't bothered upgrading openssl in some time.

If you havent upgraded in some time you are likely vulnerable to heartbleed.
sr. member
Activity: 531
Merit: 260
Vires in Numeris
For Linux users not on Ubuntu could we get https://bitcoin.org/en/download updated with the .tgz and/or some suggestion of which repository can be trusted.. and perhaps have the News alert on this site updated with a pointer to downloads, as that was always useful.
legendary
Activity: 1764
Merit: 1002
so i have openssl 1.0.1f but everything seems up to date with the blockchain w/o any obvious problems.  any need to reindex?
If you have 0.9.4 or 0.10.0rc3, and your blockchain isn't stuck already, you don't need to reindex.
If you're not on the latest versions, then if your blockchain isn't stuck, it will be eventually.

so i just upgraded from 0.9.3 to 0.9.4 but left openssl at 1.0.1f.  blockchain is not stuck at this pt.  ok?
member
Activity: 63
Merit: 10
Damn...Saw this a little too late...oh well...I'm on the school's internet  Grin
legendary
Activity: 2576
Merit: 1186
so i have openssl 1.0.1f but everything seems up to date with the blockchain w/o any obvious problems.  any need to reindex?
If you have 0.9.4 or 0.10.0rc3, and your blockchain isn't stuck already, you don't need to reindex.
If you're not on the latest versions, then if your blockchain isn't stuck, it will be eventually.
legendary
Activity: 1764
Merit: 1002
so i have openssl 1.0.1f but everything seems up to date with the blockchain w/o any obvious problems.  any need to reindex?
legendary
Activity: 1039
Merit: 1005
I am reindexing right now, for the last 12+ hours (stacked somewhere in August 2014 with about 30k blocks to go).
Do you know if there is any way to speed it up?

Nope, I guess indexing the blocks just takes its time since it covers all transactions, and there are a lot of transactions by now...
Mine is in May 2014, 33 weeks to go.

Onkel Paul
uki
legendary
Activity: 1358
Merit: 1000
cryptojunk bag holder
Today Ubuntu 14.10 had the new bitcoin-qt and bitcoind binaries. Kudos to the package maintainers!
Now bitcoin-qt reindexes the blocks, it's taking forever  Angry
I'm all for using a less volatile EC library (and static linking) to avoid this in the future...

Onkel Paul
Ubuntu 14.04 myself, after the latest repository update of openssl 1.0.1f problems started.
I am reindexing right now, for the last 12+ hours (stacked somewhere in August 2014 with about 30k blocks to go).
Do you know if there is any way to speed it up?
Pages:
Jump to: