

How to reliably and portably check the OpenSSL version? - tsudot
http://serverfault.com/questions/587324/heartbleed-how-to-reliably-and-portably-check-the-openssl-version

======
yesimahuman
The way to do this on Ubuntu is to run

    
    
      $ sudo apt-cache policy libssl1.0.0
    

You want to see version 1.0.1-4ubuntu5.12 which is the correct, patched
version. Just updated two of my servers.

~~~
saurik
Depending on the version of Ubuntu (you seem to be using precise, 12.04); for
me (on saucy, 13.10), it is 1.0.1e-3ubuntu1.2. You can check the changelog
entry for your version here, to verify that it has the heartbeat fix.

[https://launchpad.net/ubuntu/+source/openssl/+changelog](https://launchpad.net/ubuntu/+source/openssl/+changelog)

------
stormbrew
Can't reply on SE due to lack of karma there, but I think the reason this is
different on Ubuntu LTS is that what's on 12.04 is not technically 1.0.1g, but
1.0.1 with (all?) changes backported to 1.0.1 by the ubuntu security team for
the LTS release. On my 14.04-beta install it says 1.0.1f before, and still
1.0.1f after upgrading in similar fashion.

Basically 1.0.1-4ubuntu-5.12 is the version you want on ubuntu 12.04 (or
1.0.1-1ubuntu2 for 14.04), but openssl version doesn't report that.

~~~
ssafejava
What's the rationale for doing this, rather than simply using the package from
upstream?

~~~
jlgaddis
Because they aren't actually releasing a package for 1.0.1g.

Remember that the idea for the LTS releases is that as little as possible is
changed ("stable") over a period of several years ("long term"). Upgrading to
new versions of packages with new bugs^Wfeatures has the very real possibility
of "breaking" stable environments.

Instead of doing that, they simply incorporate the patch/fix into the version
of the software that the release shipped with. They can't, then, call it
1.0.1g because, well, it's not -- it is, for example, 1.0.1c with this patch
applied.

It's for that reason that you can't trust the version numbers on the packages
themselves.

(Several years ago, I would get really pissed off at Nessus because it
generate false positives by simply looking at the version numbers of installed
packages. These were scans of RHEL boxes as part of PCI and it caused a lot of
extra work. I've no idea if Nessus still does that or not but I'm sure other,
similar software does the same thing.)

------
__alexs
You can't even reliably use the version number defined in openssl.h because
RedHat decided that they will never change it ever again during RHEL 5. They
just endlessly patch some ancient version of 0.9.8. Fortunately 0.9.8 isn't
effected by this bug.

------
agnokapathetic
A quick way to check if a server supports the heartbeat extension (won't tell
you if it's patched or not)

    
    
        echo | openssl s_client -tlsextdebug -connect host:443 | grep heartbeat
        TLS server extension "heartbeat" (id=15), len=1

