I'm curious if anyone has noticed issues connecting to remote hosts after installing the RHEL/CentOS patch?
For example, the CyberSource payment gateway is no longer accessible from a patched server. The gateway has the URL https://ics2ws.ic3.com/commerce/1.x/transactionProcessor. Before the patch: # rpm -qa|grep openssl openssl-1.0.0-27.el6_4.2.x86_64 openssl-devel-1.0.0-27.el6_4.2.x86_64 root@idwdb:~# openssl s_client -connect ics2ws.ic3.com:443 CONNECTED(00000003) depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Secure Server Certification Authority verify return:1 depth=2 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority verify return:1 depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1E verify return:1 depth=0 C = US, ST = California, L = Mountain View, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, O = Cybersource Corporation, businessCategory = Private Organization, serialNumber = 2838921, CN = ics2ws.ic3.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN= ics2ws.ic3.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority 2 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority 3 s:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority --- Server certificate <<<cert cut for email brevity>>> subject=/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN= ics2ws.ic3.com issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E --- No client certificate CA names sent --- SSL handshake has read 5289 bytes and written 422 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: F7BAF7C639F01658797E1ECA788A21DB81A9577BA7489FC1D50A6AA00A697959 Session-ID-ctx: Master-Key: 8244297B5ACF81A8996F49862B7AA8A164B63A2B002C9B9F309C825E44ABFE610463F1E24752390A883ABA3EE8AF7A9D Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1396968550 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE and after: # openssl s_client -connect ics2ws.ic3.com:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 263 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- This is of course a bad thing if you're hosting ecommerce sites on the servers in question lol. On Tue, Apr 8, 2014 at 7:59 AM, Jann Horn <j...@thejh.net> wrote: > On Tue, Apr 08, 2014 at 10:23:26AM +0200, Joerg Mertin wrote: > > Ubuntu already has released: > > http://www.ubuntu.com/usn/usn-2165-1/ > > > > My server updated during the night :} > > Make sure that it actually worked! I did this after updating my debian > server: > > root@thejh:/home/jann# for pid in $(grep -F > '/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (deleted)' /proc/*/maps | cut > -d/ -f3 | sort -u); do cat /proc/$pid/cmdline | tr '\0' ' '; echo; done > /usr/lib/erlang/erts-5.9.1/bin/beam -Bd -K true -A 4 -- -root > /usr/lib/erlang -progname erl -- -home /var/lib/couchdb -- -noshell > -noinput -os_mon start_memsup false start_cpu_sup false > disk_space_check_interval 1 disk_almost_full_threshold 1 -sasl errlog_type > error -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini > /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile > /var/run/couchdb/couchdb.pid -heart > /usr/bin/couchjs /usr/share/couchdb/server/main.js > /usr/bin/couchjs /usr/share/couchdb/server/main.js > /usr/bin/stunnel4 /etc/stunnel/stunnel.conf > /usr/bin/stunnel4 /etc/stunnel/stunnel.conf > /usr/bin/stunnel4 /etc/stunnel/stunnel.conf > /usr/bin/stunnel4 /etc/stunnel/stunnel.conf > /usr/bin/stunnel4 /etc/stunnel/stunnel.conf > /usr/bin/stunnel4 /etc/stunnel/stunnel.conf > /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s > /usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s > /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf > /usr/lib/postfix/master > /usr/sbin/vsftpd > /usr/bin/znc -d /etc/znc > pickup -l -t fifo -u -c > anvil -l -t unix -u -c > smtpd -n smtp -t inet -u -c -o stress= -s 2 > irssi > /usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0 > --cd /etc/openvpn --config /etc/openvpn/tun0.conf > qmgr -l -t fifo -u > tlsmgr -l -t unix -u -c > > So, yeah, it did replace the library file, but stunnel, couchdb, lighttpd, > postfix, vsftpd and so on are still using the old version. You have to > manually restart those services... :D > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
