top | item 7554023 (no title) chaosmonkey | 12 years ago We have the same version of OpenSSL on 2 different test nodes.OpenSSL 1.0.1e-fipsOne came up positive, One negative. Shouldn't it be negative for both? discuss order hn newest teoruiz|12 years ago Weird. Can you try "openssl version -a" on both? Like this: $ openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 7 20:33:29 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa, --noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" In any case, it could be that something else (not built with OpenSSL) is listening on port 443 in the one that's "safe". Ronnie76er|12 years ago I think it's also possible you are getting a false positive, because it's timing out or whatever. The newer version of that check tells you if it's timing out. chaosmonkey|12 years ago Tried again. Still get the same result. lawl|12 years ago Different build flags? Might one of them have been built with -DOPENSSL_NO_HEARTBEATS? deemz|12 years ago Did you "service httpd restart" after applying the update?
teoruiz|12 years ago Weird. Can you try "openssl version -a" on both? Like this: $ openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 7 20:33:29 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa, --noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" In any case, it could be that something else (not built with OpenSSL) is listening on port 443 in the one that's "safe".
Ronnie76er|12 years ago I think it's also possible you are getting a false positive, because it's timing out or whatever. The newer version of that check tells you if it's timing out. chaosmonkey|12 years ago Tried again. Still get the same result.
lawl|12 years ago Different build flags? Might one of them have been built with -DOPENSSL_NO_HEARTBEATS?
teoruiz|12 years ago
Ronnie76er|12 years ago
chaosmonkey|12 years ago
lawl|12 years ago
deemz|12 years ago