Pages:
Author

Topic: Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL - page 4. (Read 66065 times)

sr. member
Activity: 658
Merit: 250
I wasn't implying that they should reinvent the wheel, but to maintain their own fork of the libraries used.
The only reason why you want to build dynamically linked binaries is to reduce their size, but it's pointless for bitcoin since you have to download 30 or so gb blockchain data, so why not ship it with a bundle of all libraries used and statically link them, the binary file will be bigger by couple of megabytes but I don't see it as a big deal. And this will prevent issues such as this as well as prevent attacks from 3rd party developers who willingly or unwillingly introduce vulnerabilities in the bitcoin core via updates.
IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too.  

In software development, it's generally considered unwise to reinvent something that already exists in an established and scrutinized form.

LibreSSL isn't reinventing the wheel, but rather repairing a broken wheen, and as LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.
sr. member
Activity: 264
Merit: 250
IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too.  

In software development, it's generally considered unwise to reinvent something that already exists in an established and scrutinized form.

LibreSSL isn't reinventing the wheel, but rather repairing a broken wheel. As LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.
sr. member
Activity: 658
Merit: 250
IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too. 
Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.

Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL

Not sure where you've gotten "unstable" from, but I suspect you just didn't inform yourself before posting. LibreSSL is a new fork, yes, but it's beyond the "unstable" phase. The current version of OpenBSD has entirely replaced OpenSSL with their LibreSSL project, not just for the OS portion, but consequently also for every single package in the ~9000 items large repository making use of OpenSSL. All of it works, and it's stable.

That said, there are still a few odd cases of badly written OpenSSL-centric software that needs reworking before it's even possible to link against LibreSSL. This is a different matter.
sr. member
Activity: 264
Merit: 250
Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.

Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL

Not sure where you've gotten "unstable" from, but I suspect you just didn't inform yourself before posting. LibreSSL is a new fork, yes, but it's beyond the "unstable" phase. The current version of OpenBSD has entirely replaced OpenSSL with their LibreSSL project, not just for the OS portion, but consequently also for every single package in the ~9000 items large repository making use of OpenSSL. All of it works, and it's stable.

That said, there are still a few odd cases of badly written OpenSSL-centric software that needs reworking before it's even possible to link against LibreSSL. This is a different matter.
legendary
Activity: 3108
Merit: 1359
Lol, what is this? OpenSSL is becoming more of a joke every day.
Subj. is not a problem of openssl itself. New versions of openssl are rejecting non-standard signatures, while Bitcoin allows them. As the result, you can create block which will be accepted by some nodes but rejected by others.
cjp
full member
Activity: 210
Merit: 124
Debian published this update:
https://www.debian.org/security/2015/dsa-3125

For Wheezy, the version number is still 1.0.1e. However, the description says it solves CVE-2014-8275, which is exactly the change that should trigger the Bitcoin problem.

So, on Debian Wheezy, the latest patched 1.0.1e can also cause problems? I guess I should first apply the Bitcoin patch, before applying this OpenSSL upgrade...
sr. member
Activity: 406
Merit: 252
Basically any OS with a dynamically linked openssl versions 1.0.0p or 1.0.1k.
To build it statically you need to generate the object files with gcc, then use ar to bundle them into a static library. But you do need to use a version of openssl which is NOT 1.0.0p or 1.0.1k, otherwise the whole exercise is pointless.
I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
I second this question.

So this affects any flavor of linux or unix-like system, including the BSDs? Got it.

Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know.



So how does one force a static link in lieu of a dynamic link?


Excellent. Thank you.
sr. member
Activity: 658
Merit: 250
Basically any OS even windows although highly unusual with a dynamically linked openssl versions 1.0.0p or 1.0.1k.
To build it statically you need to generate the object files with gcc, then use ar to bundle them into a static library. But you do need to use a version of openssl which is NOT 1.0.0p or 1.0.1k, otherwise the whole exercise is pointless.
I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
I second this question.

So this affects any flavor of linux or unix-like system, including the BSDs? Got it.

Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know.



So how does one force a static link in lieu of a dynamic link?
sr. member
Activity: 406
Merit: 252
I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
I second this question.

So this affects any flavor of linux or unix-like system, including the BSDs? Got it.

Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know.



So how does one force a static link in lieu of a dynamic link?
uki
legendary
Activity: 1358
Merit: 1000
cryptojunk bag holder
ubuntu 14.04
Quote
affected?
same OS, my version is:
Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
I know how to check openssl version, question was about bitcoin-qt binary package from ppa

Just open the debug window and you will see what version of OpenSSL the executable was linked against.


Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*
Like you said, there is LibreSSL.  Cheesy

Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.

Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL
hero member
Activity: 780
Merit: 501
You are likely to be affected only if:
- You use Linux.

I use FreeBSD, is it affected?
Can you even autoupdate freebsd's ports?

It is possible with PKGNG, but I build my own package repositories to manage updates.


Yes. I probably should have said "unix-like". The issue affects any system where you're dynamically linking Bitcoin Core against the system OpenSSL. This could even be done on Windows, though that'd be very unusual.

Thank You.  I will watch out for this when building the next set of updates.
administrator
Activity: 5222
Merit: 13032
I use FreeBSD, is it affected?

Yes. I probably should have said "unix-like". The issue affects any system where you're dynamically linking Bitcoin Core against the system OpenSSL. This could even be done on Windows, though that'd be very unusual.

ubuntu 14.04
Quote
affected?

Yes.

Is the issue having the new version of OpenSSL at compile-time, or at run-time? (My build of 0.10rc1 links dynamically to /lib/x86_64-linux-gnu/libssl.so.1.0.0, but I don't know about 0.9.3 or builds made on the PPA as part of a Debian build process).

It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link.

If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically.
legendary
Activity: 1652
Merit: 1016
You can check if your compiled binary is working correctly by executing the command "make check" in the source code directory. This will then iterate through tests. It will return either pass or fail.
sr. member
Activity: 658
Merit: 250
You are likely to be affected only if:
- You use Linux.

I use FreeBSD, is it affected?
Can you even autoupdate freebsd's ports?
hero member
Activity: 780
Merit: 501
You are likely to be affected only if:
- You use Linux.

I use FreeBSD, is it affected?
legendary
Activity: 1778
Merit: 1070
What does the "p" and "k" stand for in:

"[...] OpenSSL to 1.0.0p or 1.0.1k [...]"Huh

 Huh
legendary
Activity: 1204
Merit: 1001
thats like mega gay dude since we use bitcoind on debian.
full member
Activity: 224
Merit: 100
Just open the debug window and you will see what version of OpenSSL the executable was linked against.
it seems system version of OpenSSL used
Pages:
Jump to: