From f64a1e235f8579c91d6ea0275d7d97e7a958709b Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 15 Apr 2014 19:43:31 -0700 Subject: [PATCH] Report OpenSSL build date too. Adjust `-d -bV` output for OpenSSL to include library build date. Some OS packagers have backported heartbleed security fixes without changing anything in the reported version number. The closest we can get to a reassuring sign for administrators is to report the OpenSSL library build date, as picked by the library which Exim is using at run time. ``` Library version: OpenSSL: Compile: OpenSSL 1.0.1g 7 Apr 2014 Runtime: OpenSSL 1.0.1g 7 Apr 2014 : built on: Mon Apr 7 15:08:30 PDT 2014 ``` For comparison, the version information for OpenSSL on Ubuntu (where Exim is by default built with GnuTLS, but this provides for context for comparison): ``` $ openssl version -v -b OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 7 20:33:29 UTC 2014 ``` GnuTLS: the closest I can find to a runtime value is the call we are already making; if an OS vendor patches GnuTLS without changing the version which would be returned by `gnutls_check_version(NULL)` then the sysadmin is SOL and will have to explore library linkages more carefully. --- src/src/tls-openssl.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index a64f85dea..b7b2f8847 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1923,6 +1923,11 @@ one version of OpenSSL but the run-time linker picks up another version, it can result in serious failures, including crashing with a SIGSEGV. So report the version found by the compiler and the run-time version. +Note: some OS vendors backport security fixes without changing the version +number/string, and the version date remains unchanged. The _build_ date +will change, so we can more usefully assist with version diagnosis by also +reporting the build date. + Arguments: a FILE* to print the results to Returns: nothing */ @@ -1931,9 +1936,13 @@ void tls_version_report(FILE *f) { fprintf(f, "Library version: OpenSSL: Compile: %s\n" - " Runtime: %s\n", + " Runtime: %s\n" + " : %s\n", OPENSSL_VERSION_TEXT, - SSLeay_version(SSLEAY_VERSION)); + SSLeay_version(SSLEAY_VERSION), + SSLeay_version(SSLEAY_BUILT_ON)); +/* third line is 38 characters for the %s and the line is 73 chars long; +the OpenSSL output includes a "built on: " prefix already. */ } -- 2.25.1