Heartbleed: how to reliably and portably check the OpenSSL version?

Based on the date displayed by your version of OpenSSL, it seems you are seeing the full version displayed there.

Open SSL 1.0.1 was released on March 14th, 2012. 1.0.1a was released on April 19th of 2012.

So, I’m going to go ahead and assert that openssl version -a is the proper, cross-distro way to display the full version of OpenSSL that’s installed on the system. It seems to work for all the Linux distros I have access to, and is the method suggested in the help.ubuntu.com OpenSSL documentation, as well. Ubuntu LTS 12.04 shipped with vanilla OpenSSL v1.0.1, which is the version that looks like an abbreviated version, on account of not having a letter following it.

Having said that, it appears that there is a major bug in Ubuntu (or how they package OpenSSL), in that openssl version -a continues to return the original 1.0.1 version from March 14, 2012, regardless of whether or not OpenSSL has been upgraded to any of the newer versions. And, as with most things when it rains, it pours.

Ubuntu is not the only major distro in the habit of backporting updates into OpenSSL (or other packages), rater than relying on the upstream updates and version numbering that everyone recognizes. In the case of OpenSSL, where the letter version numbers represent only bug fix and security updates, this seems nearly incomprehensible, but I have been informed that this may be because of the FIPS-validated plugin major Linux distros ship packaged with OpenSSL. Because of requirements around revalidation that trigger due to any change, even changes that plug security holes, it is version-locked.

For example, on Debian, the fixed version displays a version number of 1.0.1e-2+deb7u5 instead of the upstream version of 1.0.1g.

As a result, at this time, there is no reliable, portable way to check SSL versions across Linux distributions, because they all use their own backported patches and updates with different version numbering schemes. You will have to look up the fixed version number for each different distribution of Linux you run, and check the installed OpenSSL version against that distribution’s specific version numbering to determine if your servers are running a vulnerable version or not.

Related Posts:

  1. Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running?
  2. apt-get error: Sub-process /usr/bin/dpkg returned an error code (1)
  3. “Couldn’t find a file descriptor referring to the console” on Ubuntu bash on Windows
  4. error: ‘Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2)’ — Missing /var/run/mysqld/mysqld.sock
  5. error: ‘Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2)’ — Missing /var/run/mysqld/mysqld.sock
  6. “E: Unable to locate package python-pip” on Ubuntu 18.04 [duplicate]
  7. “E: Unable to locate package python-pip” on Ubuntu 18.04 [duplicate]
  8. “sed” command in bash
  9. WSL – GEDIT Unable to init server: Could not connect: Connection refused
  10. How to open some ports on Ubuntu?
  11. Uncompress tar.gz file
  12. “Unable to find remote helper for ‘https'” during git clone
  13. Explanation of polkitd Unregistered Authentication Agent
  14. What is the difference between /etc/rc.local and ~/.bashrc?
  15. Unable to establish SSL connection upon wget on Ubuntu 14.04 LTS
  16. Telnet [Unable to connect to remote host: Connection refused]
  17. wget returns “Unable to establish SSL connection”
  18. Curl : connection refused
  19. How to install Android SDK on Ubuntu?
  20. How do I install chkconfig on Ubuntu?
  21. make -j 8 g++: internal compiler error: Killed (program cc1plus)
  22. List all mounts in Linux
  23. How to use sed to extract substring
  24. Bash export command
  25. How to edit gitignore file
  26. Adding a new entry to the PATH variable in ZSH
  27. how to search for a directory from the terminal in ubuntu
  28. WordPress sites being filled with random PHP files
  29. What permissions should my website files/folders have on a Linux webserver?
  30. What are the functional differences between .profile .bash_profile and .bashrc
  31. Heartbleed: What is it and what are options to mitigate it?
  32. Is it normal to get hundreds of break-in attempts per day?
  33. Difference in sites-available vs sites-enabled vs conf.d directories (Nginx)?
  34. How to view all ssl certificates in a bundle?
  35. How to handle security updates within Docker containers?
  36. Job scheduling using crontab, what will happen when computer is shutdown during that time?
  37. How can I verify if TLS 1.2 is supported on a remote web server from the RHEL/CentOS shell?
  38. How to check if an RSA public / private key pair match
  39. REJECT vs DROP when using iptables
  40. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  41. Tips for Securing a LAMP Server
  42. How to add a security group to a running EC2 Instance?
  43. I have a keypair. How do I determine the key length?
  44. GPG does not have enough entropy
  45. df says disk is full, but it is not
  46. Why don’t EC2 ubuntu images have swap?
  47. Is there a proper way to clear logs?
  48. What is the debian-sys-maint MySQL user (and more)?
  49. How should an IT department choose a standard Linux distribution?
  50. Command line program to test DHCP service
  51. What is the difference between /sbin/nologin and /bin/false?
  52. ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
  53. How do I grep recursively?
  54. ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
  55. -bash: syntax error near unexpected token `newline’ for display command
  56. SSH using python script
  57. Changing the resolution of a VNC session in linux
  58. Building HelloWorld C++ Program in Linux with ncurses
  59. How does “cat << EOF" work in bash?
  60. X11 forwarding request failed on channel 0
  61. What is difference between arm64 and armhf?
  62. How to count lines in a document?
  63. What does `set -x` do?
  64. How to get the process ID to kill a nohup process?
  65. Writing a simple shell in C using fork/execvp
  66. Using ls to list directories and their total sizes
  67. tar: add all files and directories in current directory INCLUDING .svn and so on
  68. What does set -e mean in a bash script?
  69. Pipe to/from the clipboard in a Bash script
  70. what does -zxvf mean in tar -zxvf filename? 
  71. Retrieve last 100 lines logs
  72. Configuring Apache for localhost
  73. Android – Command not found
  74. EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
  75. What does ‘bash -c’ do?
  76. How do I know the script file name in a Bash script?
  77. WordPress can’t find temporary folder, but folder it’s looking at has correct permissions
  78. Copying a large directory tree locally? cp or rsync?
  79. Check if port is open or closed on a Linux server?
  80. When does `cron.daily` run?
  81. How to run a command multiple times, using bash shell?
  82. How to reconnect to a disconnected ssh session
  83. Should I quit using Ifconfig?
  84. SSL Certificate Location on UNIX/Linux
  85. What is “-bash: !”: event not found”
  86. Keeping a linux process running after I logout
  87. Force dig to resolve without using cache
  88. How to forcibly close a socket in TIME_WAIT?
  89. Colors in bash after piping through less?
  90. Why does sudo command take long to execute?
  91. How to display certain lines from a text file in Linux?
  92. Can you have more than one ~/.ssh/config file?
  93. How to force nginx to resolve DNS (of a dynamic hostname) everytime when doing proxy_pass?
  94. SSHFS mount that survives disconnect
  95. create home directories after create users
  96. How do I redirect subdomains to a different port on the same server?
  97. Running Cron every 2 hours [duplicate]
  98. How to check the physical status of an ethernet port in Linux?
  99. What does “debconf: delaying package configuration, since apt-utils is not installed” mean?
  100. In Linux, what is the difference between “buffers” and “cache” reported by the free command?

Leave a Comment