[exim-cvs] Report OpenSSL build date too.

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] Report OpenSSL build date too.
Gitweb: http://git.exim.org/exim.git/commitdiff/f64a1e235f8579c91d6ea0275d7d97e7a958709b
Commit:     f64a1e235f8579c91d6ea0275d7d97e7a958709b
Parent:     6da250931d4b93e2bfe6de4adfc0d884e28a91c9
Author:     Phil Pennock <pdp@???>
AuthorDate: Tue Apr 15 19:43:31 2014 -0700
Committer:  Phil Pennock <pdp@???>
CommitDate: Tue Apr 15 19:43:31 2014 -0700


    Report OpenSSL build date too.


    Adjust `-d -bV` output for OpenSSL to include library build date.


    Some OS packagers have backported heartbleed security fixes without
    changing anything in the reported version number.  The closest we can
    get to a reassuring sign for administrators is to report the OpenSSL
    library build date, as picked by the library which Exim is using at run
    time.


    ```
    Library version: OpenSSL: Compile: OpenSSL 1.0.1g 7 Apr 2014
                              Runtime: OpenSSL 1.0.1g 7 Apr 2014
                                     : built on: Mon Apr  7 15:08:30 PDT 2014
    ```


    For comparison, the version information for OpenSSL on Ubuntu (where
    Exim is by default built with GnuTLS, but this provides for context for
    comparison):


    ```
    $ openssl version -v -b
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr  7 20:33:29 UTC 2014
    ```


    GnuTLS: the closest I can find to a runtime value is the call we are
    already making; if an OS vendor patches GnuTLS without changing the
    version which would be returned by `gnutls_check_version(NULL)` then the
    sysadmin is SOL and will have to explore library linkages more
    carefully.
---
 src/src/tls-openssl.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index a64f85d..b7b2f88 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1923,6 +1923,11 @@ one version of OpenSSL but the run-time linker picks up another version,
it can result in serious failures, including crashing with a SIGSEGV. So
report the version found by the compiler and the run-time version.

+Note: some OS vendors backport security fixes without changing the version
+number/string, and the version date remains unchanged.  The _build_ date
+will change, so we can more usefully assist with version diagnosis by also
+reporting the build date.
+
 Arguments:   a FILE* to print the results to
 Returns:     nothing
 */
@@ -1931,9 +1936,13 @@ void
 tls_version_report(FILE *f)
 {
 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
-           "                          Runtime: %s\n",
+           "                          Runtime: %s\n"
+           "                                 : %s\n",
            OPENSSL_VERSION_TEXT,
-           SSLeay_version(SSLEAY_VERSION));
+           SSLeay_version(SSLEAY_VERSION),
+           SSLeay_version(SSLEAY_BUILT_ON));
+/* third line is 38 characters for the %s and the line is 73 chars long;
+the OpenSSL output includes a "built on: " prefix already. */
 }