openssl update on ddwrt, is it Checkmate or Check?

Posted on April 17, 2012

0



After reading an old articel on TLSv1 vulnerability I wanted to test it. The website I have red about this TLSv1 Issue:
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
After reading I wanted to look for a webserver that support TLSv1. For that task I need only an openssl on a device with public internet access, that is actually my ddwrt router.
The command is easy, only issue this and see if in the output of the server reply there is a TLS Version 1.
An example can be seen below:

root@schlagmichtotgw:/tmp/mnt/test# openssl s_client -connect 3.3.3.3:443 -tls1
...
---
No client certificate CA names sent
---
SSL handshake has read 3135 bytes and written 414 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
...

That is fine, but before that I wanted to upgrade my openssl version, because the ipkg repository has a newer version as the ipkg-opt repository (anyway both of the are really old):

Whiterussian package:
.

root@schlagmichtotgw:~# ipkg info openssl-util
Package: openssl-util
Version: 0.9.8d-1
Depends: libopenssl
Section: admin
Architecture: mipsel
Maintainer: OpenWrt Developers Team 
MD5Sum: 5da30d14ce39c8e0f5c2f19d0ea4db3e
Size: 133776
Filename: openssl-util_0.9.8d-1_mipsel.ipk
Source: http://svn.openwrt.org/openwrt/branches/whiterussian/openwrt/package/openssl
Description: OpenSSL (Secure Socket Layer) command line tool

Optware package:
.

root@schlagmichtotgw:~# ipkg-opt list | grep openssl
openssl - 0.9.7m-5 - Openssl provides the ssl implementation in libraries libcrypto and libssl, and is needed by many other applications and librari
...

My Version:
.

root@schlagmichtotgw:~# openssl version
OpenSSL 0.9.7m 23 Feb 2007

Try to install the newer version:

1.) Install the opnessl-util fails because of dependency:

root@schlagmichtotgw:~# ipkg install openssl-util

Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
Unpacking libopenssl...Done.
Configuring libopenssl...Done.

Downloading http://downloads.openwrt.org/whiterussian/packages/openssl-util_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ipkg_install_file: ERROR: openssl-util depends on the following uninstalled programs:
         libopenssl
ipkg_install_file: You may want to use `ipkg install' to install these.
ipkg_get_install: ERROR: Failed to install /jffs/tmp/ipkg/openssl-util_0.9.8d-1_mipsel.ipk
ipkg_get_install: I'll leave it there for you to try a manual installation

2.) Install only the required libary seems to be ok:

root@schlagmichtotgw:~# ipkg install libopenssl

Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
Unpacking libopenssl...Done.
Configuring libopenssl...Done.
root@schlagmichtotgw:~#

3.) After that I still cannot install it:

root@schlagmichtotgw:~# ipkg install openssl-util

Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
Unpacking libopenssl...Done.
Configuring libopenssl...Done.

Downloading http://downloads.openwrt.org/whiterussian/packages/openssl-util_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ipkg_install_file: ERROR: openssl-util depends on the following uninstalled programs:
         libopenssl
ipkg_install_file: You may want to use `ipkg install' to install these.
ipkg_get_install: ERROR: Failed to install /jffs/tmp/ipkg/openssl-util_0.9.8d-1_mipsel.ipk
ipkg_get_install: I'll leave it there for you to try a manual installation

4.) What files are used for openssl:

root@schlagmichtotgw:~# ipkg-opt files openssl
Package openssl (0.9.7m-5) is installed on /opt/ and has the following files:
/opt/share/openssl/openssl.cnf
/opt/lib/libssl.so
/opt/lib/libssl.so.0
/opt/bin/openssl
/opt/lib/libcrypto.so
/opt/lib/libssl.so.0.9.7
/opt/lib/libcrypto.so.0
/opt/lib/libcrypto.so.0.9.7

Successfully terminated.

5.) Try to download the package and open it:

root@schlagmichtotgw:/tmp/mnt# wget http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk
Connecting to downloads.openwrt.org (78.24.191.177:80)

root@schlagmichtotgw:/tmp/mnt/test# ar t libopenssl_0.9.8d-1_mipsel.ipk
ar: can't resolve symbol '_dl_app_init_array'
root@schlagmichtotgw:/tmp/mnt/test# ar x libopenssl_0.9.8d-1_mipsel.ipk
ar: can't resolve symbol '_dl_app_init_array'

ar does not work...

6.) Check the lib files for openssl:

root@schlagmichtotgw:/tmp/mnt/test# ls -lat /opt/lib/libssl*
lrwxrwxrwx    1 root     root           15 Apr 25  2011 /opt/lib/libssl.so -> libssl.so.0.9.7
lrwxrwxrwx    1 root     root           15 Apr 25  2011 /opt/lib/libssl.so.0 -> libssl.so.0.9.7
-rw-r--r--    1 root     root       235852 Nov 17  2010 /opt/lib/libssl.so.0.9.7

7.) Look for the newly installed library files for openssl:

root@schlagmichtotgw:/tmp/mnt/test# find / -name libssl.so.0.9*
/jffs/usr/lib/libssl.so.0.9.8
/opt/lib/libssl.so.0.9.7

It is in /jffs/usr/lib/

8.) Copy and update opnssl library:

root@schlagmichtotgw:/tmp/mnt/test# cp /jffs/usr/lib/libssl.so.0.9.8 /opt/lib/

root@schlagmichtotgw:/tmp/mnt/test# rm /opt/lib/libssl.so
root@schlagmichtotgw:/tmp/mnt/test# rm /opt/lib/libssl.so.0

root@schlagmichtotgw:/tmp/mnt/test# ln -s /opt/lib/libssl.so.0.9.8 /opt/lib/libssl.so.0
root@schlagmichtotgw:/tmp/mnt/test# ln -s /opt/lib/libssl.so.0.9.8 /opt/lib/libssl.so

The result:

root@schlagmichtotgw:/tmp/mnt/test# ls -lat /opt/lib/libssl*
lrwxrwxrwx    1 root     root           24 Apr 12 10:03 /opt/lib/libssl.so -> /opt/lib/libssl.so.0.9.8
lrwxrwxrwx    1 root     root           24 Apr 12 10:03 /opt/lib/libssl.so.0 -> /opt/lib/libssl.so.0.9.8
-rw-r--r--    1 root     root       192135 Apr 12 10:02 /opt/lib/libssl.so.0.9.8
-rw-r--r--    1 root     root       235852 Nov 17  2010 /opt/lib/libssl.so.0.9.7

9.) Try to install again:

root@schlagmichtotgw:/tmp/mnt/test# ipkg install openssl-util

Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
Unpacking libopenssl...Done.
Configuring libopenssl...Done.

Downloading http://downloads.openwrt.org/whiterussian/packages/openssl-util_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ipkg_install_file: ERROR: openssl-util depends on the following uninstalled programs:
     libopenssl
ipkg_install_file: You may want to use `ipkg install' to install these.
ipkg_get_install: ERROR: Failed to install /jffs/tmp/ipkg/openssl-util_0.9.8d-1_mipsel.ipk
ipkg_get_install: I'll leave it there for you to try a manual installation
root@schlagmichtotgw:/tmp/mnt/test# ls -lat /jffs/tmp/ipkg/openssl-util_0.9.8d-1_mipsel.ipk
root@schlagmichtotgw:/tmp/mnt/test#

It failed and the file is not in /jffs/tmp… try to force it

root@schlagmichtotgw:/tmp/mnt/test# ipkg -force-depends install openssl-util

Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
Unpacking libopenssl...Done.
Configuring libopenssl...Done.

Downloading http://downloads.openwrt.org/whiterussian/packages/openssl-util_0.9.8d-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ipkg_install_file: Warning: openssl-util depends on the following uninstalled programs:  libopenssl
Unpacking openssl-util...Done.
Configuring openssl-util...Done.

I have now 2 openssl, but one does not work, it has uclibc problem:

root@schlagmichtotgw:/tmp/mnt/test# find / -name openssl
/jffs/usr/bin/openssl
/opt/share/openssl
/opt/bin/openssl
root@schlagmichtotgw:/tmp/mnt/test# /jffs/usr/bin/openssl
/jffs/usr/bin/openssl: can't resolve symbol '__uClibc_start_main'
root@schlagmichtotgw:/tmp/mnt/test# /opt/bin/openssl version
OpenSSL 0.9.7m 23 Feb 2007

And here I cannot go on, I have to dig it later…

Advertisements
Posted in: Linux, openssl, Security