Gitweb:
http://git.exim.org/exim.git/commitdiff/f64a1e235f8579c91d6ea0275d7d97e7a958709b
Commit: f64a1e235f8579c91d6ea0275d7d97e7a958709b
Parent: 6da250931d4b93e2bfe6de4adfc0d884e28a91c9
Author: Phil Pennock <pdp@???>
AuthorDate: Tue Apr 15 19:43:31 2014 -0700
Committer: Phil Pennock <pdp@???>
CommitDate: Tue Apr 15 19:43:31 2014 -0700
Report OpenSSL build date too.
Adjust `-d -bV` output for OpenSSL to include library build date.
Some OS packagers have backported heartbleed security fixes without
changing anything in the reported version number. The closest we can
get to a reassuring sign for administrators is to report the OpenSSL
library build date, as picked by the library which Exim is using at run
time.
```
Library version: OpenSSL: Compile: OpenSSL 1.0.1g 7 Apr 2014
Runtime: OpenSSL 1.0.1g 7 Apr 2014
: built on: Mon Apr 7 15:08:30 PDT 2014
```
For comparison, the version information for OpenSSL on Ubuntu (where
Exim is by default built with GnuTLS, but this provides for context for
comparison):
```
$ openssl version -v -b
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
```
GnuTLS: the closest I can find to a runtime value is the call we are
already making; if an OS vendor patches GnuTLS without changing the
version which would be returned by `gnutls_check_version(NULL)` then the
sysadmin is SOL and will have to explore library linkages more
carefully.
---
src/src/tls-openssl.c | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index a64f85d..b7b2f88 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1923,6 +1923,11 @@ one version of OpenSSL but the run-time linker picks up another version,
it can result in serious failures, including crashing with a SIGSEGV. So
report the version found by the compiler and the run-time version.
+Note: some OS vendors backport security fixes without changing the version
+number/string, and the version date remains unchanged. The _build_ date
+will change, so we can more usefully assist with version diagnosis by also
+reporting the build date.
+
Arguments: a FILE* to print the results to
Returns: nothing
*/
@@ -1931,9 +1936,13 @@ void
tls_version_report(FILE *f)
{
fprintf(f, "Library version: OpenSSL: Compile: %s\n"
- " Runtime: %s\n",
+ " Runtime: %s\n"
+ " : %s\n",
OPENSSL_VERSION_TEXT,
- SSLeay_version(SSLEAY_VERSION));
+ SSLeay_version(SSLEAY_VERSION),
+ SSLeay_version(SSLEAY_BUILT_ON));
+/* third line is 38 characters for the %s and the line is 73 chars long;
+the OpenSSL output includes a "built on: " prefix already. */
}
