DROWN attacks vs openssl

CONTENTS DELETED

First, use the latest fw_upgrade script version that forces TLS1.0 connections and above: http://itus.accessinnov.com/Update-script-fw-upgrade-td43.html

Second, update your openSSL version to 1.0.2g:

In /etc/opkg.conf add these lines at the end:

arch cn70xx 100
arch octeon 200
arch all 300

Download the new version from here:
https://downloads.openwrt.org/chaos_calmer/15.05/octeon/generic/packages/base/openssl-util_1.0.2g-1_octeon.ipk

Update it:
opkg install ../openssl-util_1.0.2g-1_octeon.ipk

Hi
I followed you instructions and get the following

.ipk was download to root and run with opkg install ../openssl-util_1.0.2g-1_octeon.ipk from root

bin                               overlay
dev                               proc
etc                               ramfs
include                           rom
init                              root
lib                               sbin
lib64                             sys
lost+found                        tmp
mnt                               usr
openssl-util_1.0.2g-1_octeon.ipk  var
opt                               www
root@Shield:/# opkg install ../openssl-util_1.0.2g-1_octeon.ipk
Installing openssl-util (1.0.2g-1) to root...
Configuring openssl-util.
Collected errors:
 * resolve_conffiles: Existing conffile /etc/ssl/openssl.cnf is different from the conffile in the new package. The new conffile will be placed at /etc/ssl/openssl.cnf-opkg.
root@Shield:/# cd etc/
root@Shield:/etc# cd ssl
root@Shield:/etc/ssl# ls
certs             openssl.cnf       openssl.cnf-opkg  private

what do i have to do now or is this ok


roadrunnere42

Roadrunnere42 wrote

 * resolve_conffiles: Existing conffile /etc/ssl/openssl.cnf is different from the conffile in the new package. The new conffile will be placed at /etc/ssl/openssl.cnf-opkg.

I tried the same steps but stuck right now.

openssl.cnf-opkg and openssl.cnf are exactly the same according to a file compare

now I am getting

root@Shield:/etc/ssl# openvpn
Usage message not available
root@Shield:/etc/ssl# openvpn --help
Usage message not available
root@Shield:/etc/ssl# openvpn version
Options error: In [CMD-LINE]:1: Error opening configuration file: version
Use --help for more information.
root@Shield:/etc/ssl# openssl
-ash: openssl: not found

I made the change in my active shield - not my sandbox  Any way to restore it (besides factory reset)?

root@Shield:/etc/ssl# openssl
OpenSSL> version
OpenSSL 1.0.2d 9 Jul 2015
OpenSSL> help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse      ca             ciphers        cms            crl
....

CONTENTS DELETED

Odd. You don't get that unless the files are different. Here is that file on my box: openssl.cnf

You shouldn't have to downgrade, just reinstall it again. Delete the new .cnf-opkg file, it may conflict. Try the force reinstall option switch and reinstall: opkg install --force-reinstall  

user8446 wrote

Odd. You don't get that unless the files are different. Here is that file on my box: openssl.cnf

You shouldn't have to downgrade, just reinstall it again. Delete the new .cnf-opkg file, it may conflict. Try the force reinstall option switch and reinstall: opkg install --force-reinstall

This is what is happening:

root@Shield:/etc/ssl# mv openssl.cnf openssl.cnf__
root@Shield:/etc/ssl# cd /
root@Shield:/# opkg install --force-reinstall  openssl-util_1.0.2g-1_octeon.ipk
No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Configuring openssl-util.
root@Shield:/# openssl
-ash: openssl: not found

it is not the path

root@Shield:/# env
SSH_CLIENT=x.x.x.x 1235 22
USER=root
SHLVL=1
OLDPWD=/etc/ssl
HOME=/root
SSH_TTY=/dev/pts/0
PS1=\u@\h:\w\$
LOGNAME=root
TERM=xterm
PATH=/usr/bin:/usr/sbin:/bin:/sbin
SHELL=/bin/ash
PWD=/
SSH_CONNECTION=x.x.x.y 1235 x.x.x.x 22

What are you getting on this?

opkg info openssl-util

CONTENTS DELETED

I removed the file as you said and ran the following

 opkg install --force-reinstall ./openssl-util_1.0.2g-1_octeon.ipk

No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Collected errors:
 * check_data_file_clashes: Package openssl-util wants to install file /usr/bin/openssl
        But that file is already provided by package  * ohns
 * opkg_install_cmd: Cannot install package openssl-util.

I then ran

opkg info openssl-util
Package: openssl-util
Version: 1.0.2g-1
Depends: libc, libopenssl
Status: install prefer,user not-installed
Architecture: octeon
Conffiles:
 /etc/ssl/openssl.cnf 06baa8f15992bacd3e5b113cd571d828c0


so am i running 1.02g-1 already

roadrunnere42

Roadrunnere42 wrote

I removed the file as you said and ran the following

 opkg install --force-reinstall ./openssl-util_1.0.2g-1_octeon.ipk

No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Collected errors:
 * check_data_file_clashes: Package openssl-util wants to install file /usr/bin/openssl
        But that file is already provided by package  * ohns
 * opkg_install_cmd: Cannot install package openssl-util.

I then ran

opkg info openssl-util
Package: openssl-util
Version: 1.0.2g-1
Depends: libc, libopenssl
Status: install prefer,user not-installed
Architecture: octeon
Conffiles:
 /etc/ssl/openssl.cnf 06baa8f15992bacd3e5b113cd571d828c0


so am i running 1.02g-1 already

roadrunnere42

This is what I got on a 1.51SP1 clean (!) router-mode shield:

root@Shield:/# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/luci
src/gz chaos_calmer_management http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/management
src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/telephony
# src/gz chaos_calmer_targets http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/targets
#option check_signature 1
arch cn70xx 100
arch octeon 200
arch all 300
root@Shield:/# openssl version
OpenSSL 1.0.2d 9 Jul 2015
root@Shield:/# curl -k https://downloads.openwrt.org/chaos_calmer/15.05/octeon/generic/packages/base/openssl-util_1.0.2g-1_octeon.ipk -o openssl-util_1.0.2g-1_octeon.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  188k  100  188k    0     0   119k      0  0:00:01  0:00:01 --:--:--  120k
root@Shield:/# ls -al
drwxr-xr-x   17 root     root          4096 Nov 26 03:01 .
drwxr-xr-x   17 root     root          4096 Nov 26 03:01 ..
drwxr-xr-x    2 root     root          4096 Nov 26 03:01 bin
drwxr-xr-x    5 root     root         11280 Nov 26 03:00 dev
drwxrwxr-x   26 root     root          4096 Nov 26 03:01 etc
drwxr-xr-x    3 root     root          4096 Nov 26 03:01 include
-rwxrwxr-x    1 root     root          1647 May  4  2015 init
drwxr-xr-x   12 root     root          4096 Nov 10 05:39 lib
lrwxrwxrwx    1 root     root             3 Nov 26 03:01 lib64 -> lib
drwx------    2 root     root         16384 Nov 26 03:01 lost+found
drwxr-xr-x    2 root     root          4096 May  4  2015 mnt
-rw-r--r--    1 root     root        193192 Nov 26 03:01 openssl-util_1.0.2g-1_octeon.ipk
dr-xr-xr-x   73 root     root             0 Jan  1  1970 proc
drwxrwxr-x    2 root     root          4096 Nov 26 03:01 rom
drwxr-xr-x    2 root     root          4096 May  4  2015 root
drwxr-xr-x    2 root     root          4096 Nov 26 03:01 sbin
dr-xr-xr-x   11 root     root             0 Jan  1  1970 sys
drwxrwxrwt   18 root     root           480 Nov 26 03:01 tmp
drwxr-xr-x    8 root     root          4096 Aug 20 03:18 usr
lrwxrwxrwx    1 root     root             4 Nov 26 03:01 var -> /tmp
drwxrwxr-x    6 root     root          4096 Nov 26 03:01 www
root@Shield:/# opkg install ./openssl-util_1.0.2g-1_octeon.ipk
root@Shield:/# openssl version
OpenSSL 1.0.2d 9 Jul 2015
root@Shield:/# env
SHLVL=2
OLDPWD=/overlay
HOME=/root
PS1=\u@\h:\w\$
TERM=linux
serial#=my_sandbox
PATH=/usr/bin:/usr/sbin:/bin:/sbin
numcores=2
PWD=/
root@Shield:/# env
root@Shield:/# opkg install ./openssl-util_1.0.2g-1_octeon.ipk
Upgrading openssl-util on root from 1.0.2a-0 to 1.0.2g-1...
Configuring openssl-util.
root@Shield:/# openssl version
/bin/ash: openssl: not found
root@Shield:/#  opkg install --force-reinstall ./openssl-util_1.0.2g-1_octeon.ipk
No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Collected errors:
 * check_data_file_clashes: Package openssl-util wants to install file /usr/bin/openssl
        But that file is already provided by package  * o_Velho
 * opkg_install_cmd: Cannot install package openssl-util.
root@Shield:/# openssl version
/bin/ash: openssl: not found

In that case a   --force-overwrite   should do the trick.

OpenSSL has been updated to 1.0.2h due to vulnerabilities in prior versions...

The Chaos Calmer repo has not been updated yet.

You can now get 1.0.2h in the snapshot openwrt repo:

https://downloads.openwrt.org/snapshots/trunk/octeon/generic/packages/base/openssl-util_1.0.2h-1_octeon.ipk

Thanks - installed very quickly and simply for me:

root@Shield:/tmp/ramdisk# opkg install openssl-util_1.0.2h-1_octeon.ipk
Upgrading openssl-util on root from 1.0.2g-1 to 1.0.2h-1...
Configuring openssl-util.

root@Shield:/tmp/ramdisk# opkg info openssl-util
Package: openssl-util
Version: 1.0.2h-1
Depends: libc, libopenssl
Status:  install user installed
Architecture: octeon
Conffiles:      /etc/ssl/openssl.cnf 06baa8f15992bacd3e5b113cd571d828c0
Installed-Time: 1462973213

Hi Wisiwyg

very easy  to upgrade and thanks for the reminder

roadrunnere42