Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to solve the HeartBleed vulnerability of OpenSSL". Xiaobian shows you the operation process through actual cases. The operation method is simple, fast and practical. I hope this article "how to solve the HeartBleed vulnerability of OpenSSL" can help you solve the problem.

Upgrade OpenSSL

Using a native mac developer as an example (of course, it's important that you upgrade on HTTPS servers):

brew updatebrew install opensslbrew link --force opensslopenssl version -aRubyist What should I do?

Ruby officials have given a solution

Execute the following command to verify the OpenSSL version linked to Ruby:

ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'

Verify the version of the OpenSSL library in Ruby by executing the following command:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

If you discover that Ruby is using OpenSSL, you will need to recompile and install Ruby.

$ ./ configure --with-openssl-dir=/path/to/openssl$ make$ make install

Many people use rbenv or rvm on their servers, so they need to rely on rbenv and rvm to update Ruby, provided they upgrade to OpenSSL version 1.0.1g.

rbenv ruby-build

rvm config

phusion-passenger

Brief description of vulnerability attack principle

Normal case: the program reads the length of the data, reads the data content according to the length, and then sends the data content back to the user intact

Hackers send malicious data, the length of 64k, but the actual data content is much less than 64k, such as 1 byte, in this case, the server will send the subsequent [64 K-1] length of data "intact" to the hacker.

Malicious data can be sent repeatedly without segment, and the data sent back by sever may contain the plaintext password of other users.

This process is a bit like poking a bunch of sesame seeds with honey chopsticks, and every time you can stick a lot of sesame seeds back. The memory blocks of major websites that provide HTTPS services have become such sesame seeds.

About "OpenSSL HeartBleed vulnerability how to solve" the content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the industry information channel. Xiaobian will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.