How to check which version of openssl is getting compiled in into dovecot?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How to check which version of openssl is getting compiled in into dovecot?

krzf83@gmail.com
I got multiple versions of openssl in my system. I compile dovecot with
PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure

How do I check which version of openssl got compiled in? configure
script does not show version. There seem to be no way to check it in
compiled binary (?)

My dovecot is still seen vulnerable by tls testing tools so I'm
guessing wrong version of openssl got compiled it but there seem to be
no way to check it.
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

Aki Tuomi-2


On 27.10.2017 00:53, [hidden email] wrote:

> I got multiple versions of openssl in my system. I compile dovecot with
> PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
>
> How do I check which version of openssl got compiled in? configure
> script does not show version. There seem to be no way to check it in
> compiled binary (?)
>
> My dovecot is still seen vulnerable by tls testing tools so I'm
> guessing wrong version of openssl got compiled it but there seem to be
> no way to check it.
You can check with ldd /usr/lib/dovecot/imap-login (or libexec)

Just check which SSL library has been linked to it.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

@lbutlr


> On Oct 27, 2017, at 12:33 AM, Aki Tuomi <[hidden email]> wrote:
>
>
>
> On 27.10.2017 00:53, [hidden email] wrote:
>> I got multiple versions of openssl in my system. I compile dovecot with
>> PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
>>
>> How do I check which version of openssl got compiled in? configure
>> script does not show version. There seem to be no way to check it in
>> compiled binary (?)
>>
>> My dovecot is still seen vulnerable by tls testing tools so I'm
>> guessing wrong version of openssl got compiled it but there seem to be
>> no way to check it.
> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
>
> Just check which SSL library has been linked to it.

That is not immediately helpful, though.

libssl.so.9 => /usr/local/lib/libssl.so.9 (0x28313000

No version info there…

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

Aki Tuomi-2


On 27.10.2017 10:07, @lbutlr wrote:

>
>> On Oct 27, 2017, at 12:33 AM, Aki Tuomi <[hidden email]> wrote:
>>
>>
>>
>> On 27.10.2017 00:53, [hidden email] wrote:
>>> I got multiple versions of openssl in my system. I compile dovecot with
>>> PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
>>>
>>> How do I check which version of openssl got compiled in? configure
>>> script does not show version. There seem to be no way to check it in
>>> compiled binary (?)
>>>
>>> My dovecot is still seen vulnerable by tls testing tools so I'm
>>> guessing wrong version of openssl got compiled it but there seem to be
>>> no way to check it.
>> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
>>
>> Just check which SSL library has been linked to it.
> That is not immediately helpful, though.
>
> libssl.so.9 => /usr/local/lib/libssl.so.9 (0x28313000
>
> No version info there…
>
I was kinda assuming you'd know which library it should link into. But..

$ strings /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep OpenSSL
OpenSSLDie
SSLv3 part of OpenSSL 1.0.1t  3 May 2016
TLSv1 part of OpenSSL 1.0.1t  3 May 2016
DTLSv1 part of OpenSSL 1.0.1t  3 May 2016
OpenSSL 1.0.1t  3 May 2016

works at least for me. maybe this helps you?

Aki
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

@lbutlr


> On Oct 27, 2017, at 1:09 AM, Aki Tuomi <[hidden email]> wrote:
>
>
>
> On 27.10.2017 10:07, @lbutlr wrote:
>>
>>> On Oct 27, 2017, at 12:33 AM, Aki Tuomi <[hidden email]> wrote:
>>>
>>>
>>>
>>> On 27.10.2017 00:53, [hidden email] wrote:
>>>> I got multiple versions of openssl in my system. I compile dovecot with
>>>> PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
>>>>
>>>> How do I check which version of openssl got compiled in? configure
>>>> script does not show version. There seem to be no way to check it in
>>>> compiled binary (?)
>>>>
>>>> My dovecot is still seen vulnerable by tls testing tools so I'm
>>>> guessing wrong version of openssl got compiled it but there seem to be
>>>> no way to check it.
>>> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
>>>
>>> Just check which SSL library has been linked to it.
>> That is not immediately helpful, though.
>>
>> libssl.so.9 => /usr/local/lib/libssl.so.9 (0x28313000
>>
>> No version info there…
>>
> I was kinda assuming you'd know which library it should link into. But..

Sure, but if the OP knew this, wouldn't be asking, right?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

krzf83@gmail.com
In reply to this post by Aki Tuomi-2
>> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)

No, I cant because I'm compiling dovecot with openssl compiled as FPIC
which means that its not getting dynamicly linked.

When I try to compile against non-fpic openssl I just got

/usr/openssl-1.0.2l/lib/libssl.a(s23_srvr.o): relocation R_X86_64_32
against `.rodata' can not be used when making a shared object;
recompile with -fPIC

2017-10-27 8:33 GMT+02:00 Aki Tuomi <[hidden email]>:

>
>
> On 27.10.2017 00:53, [hidden email] wrote:
>> I got multiple versions of openssl in my system. I compile dovecot with
>> PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
>>
>> How do I check which version of openssl got compiled in? configure
>> script does not show version. There seem to be no way to check it in
>> compiled binary (?)
>>
>> My dovecot is still seen vulnerable by tls testing tools so I'm
>> guessing wrong version of openssl got compiled it but there seem to be
>> no way to check it.
> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
>
> Just check which SSL library has been linked to it.
>
> Aki
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

krzf83@gmail.com
Correction. Even though i compile against fpic version of openssl
imap-login binnary is still dynamicly linked :/

root@sv1 [/usr/dovecot-2.2.33.2/libexec/dovecot]# ldd imap-login|grep ssl
        libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007f1428559000)

I've put new libssl.so.1.0.0 in this location from /usr/openssl-1.0.2l-fpic/lib/

# strings /lib64/libssl.so.1.0.0|grep openssl -i

SSLv3 part of OpenSSL 1.0.2l  25 May 2017
TLSv1 part of OpenSSL 1.0.2l  25 May 2017
DTLSv1 part of OpenSSL 1.0.2l  25 May 2017

looks good.

and (obviously) restarted dovecot. Outside tester
https://filippo.io/CVE-2016-2107 still says my imap on port 993 is
vournable to CVE-2016-2107. Weird.

I wish dovecot could print out version of openssl he is using on
runtime (for example to maillog, every time he starts). For example
apache can do it (and many other programs). Its a must have feature in
situation where openssl is dynamicly linked at startup (as using env
LD_LIBRARY_PATH will make it link somewhere else for example).

2017-10-27 14:35 GMT+02:00 [hidden email] <[hidden email]>:

>>> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
>
> No, I cant because I'm compiling dovecot with openssl compiled as FPIC
> which means that its not getting dynamicly linked.
>
> When I try to compile against non-fpic openssl I just got
>
> /usr/openssl-1.0.2l/lib/libssl.a(s23_srvr.o): relocation R_X86_64_32
> against `.rodata' can not be used when making a shared object;
> recompile with -fPIC
>
> 2017-10-27 8:33 GMT+02:00 Aki Tuomi <[hidden email]>:
>>
>>
>> On 27.10.2017 00:53, [hidden email] wrote:
>>> I got multiple versions of openssl in my system. I compile dovecot with
>>> PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
>>>
>>> How do I check which version of openssl got compiled in? configure
>>> script does not show version. There seem to be no way to check it in
>>> compiled binary (?)
>>>
>>> My dovecot is still seen vulnerable by tls testing tools so I'm
>>> guessing wrong version of openssl got compiled it but there seem to be
>>> no way to check it.
>> You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
>>
>> Just check which SSL library has been linked to it.
>>
>> Aki
Reply | Threaded
Open this post in threaded view
|

Re: How to check which version of openssl is getting compiled in into dovecot?

krzf83@gmail.com
Never mind. It was old /lib64/libcrypto.so.1.0.0 which is dynamicly
linked when running imap-login