topic Re: OpenSSL 0.9.8p to 0.9.8r or 1.0.0e in Security

OpenSSL 0.9.8p to 0.9.8r or 1.0.0e

fi5033 — Tue, 04 Oct 2011 19:53:45 GMT

Current project I am working on require that OpenSSL be upgraded to at least 0.9.8r (with experimental "ECCdraft" ciphersuites disabled) or 1.0.0e. Specifically, OpenSSL 0.9.8p is cited as vulnerable.
Could you tell me if OpenSSL used by Splunk can be upgraded to 0.9.8r? Or can it be configured to simply use the existing installation of OpenSSL on the server so that we don’t always have to upgrade two copies on each server.

The version we are using is 4.2.1.

Re: OpenSSL 0.9.8p to 0.9.8r or 1.0.0e

jasonnadeau — Tue, 04 Oct 2011 20:01:34 GMT

If you review the open source license definitions that are distributed with splunk you should be able to ascertain the version of openssl you are running. I am using Splunk 4.1.8 and the license documents were located here: /opt/splunk/share/splunk/3rdparty. According to Copyright-for-openssl-0.9.8n.txt I should expect openssl 0.9.8n to be in my copy of Splunk.

Re: OpenSSL 0.9.8p to 0.9.8r or 1.0.0e

fi5033 — Tue, 04 Oct 2011 20:15:11 GMT

The version of openssl came with 4.2.1 is 0.9.8p.

bash-3.00$ ls Copyright-for-open*
Copyright-for-openssl-0.9.8p.txt

Still seeking to upgrade 0.9.8p to 0.9.8r and not sure if this is even doable?

Re: OpenSSL 0.9.8p to 0.9.8r or 1.0.0e

dwaddle — Tue, 04 Oct 2011 20:37:47 GMT

(A) Splunk's OpenSSL is bundled into Splunk as a private copy. Splunk does not care what your "system" OpenSSL is.

(B) Splunk maintains OpenSSL (and several other bundled components) as part of their overall release process. You should not expect to upgrade "just" Splunk's OpenSSL w/o upgrading Splunk itself. More info is available on http://splunk-base.splunk.com/answers/6653/how-do-splunk-releases-integrate-security-patches-for-dependent-libraries