如何确保Ruby使用不受Heartbleed影响的OpenSSL? [英] How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?
本文介绍了如何确保Ruby使用不受Heartbleed影响的OpenSSL?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
继Heartbleed错误之后,这篇文章在ruby-lang.org上介绍了如何检查漏洞和升级.
Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade.
它包含以下建议:
要验证链接到Ruby的OpenSSL库的版本,请使用以下命令:
To verify which version of the OpenSSL library you link to Ruby, use the following:
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
要验证当前随Ruby安装的OpenSSL版本,请使用以下命令:
To verify the version of OpenSSL currently installed with Ruby, use the following:
ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
这两项检查之间有什么区别?如果从任何一条命令返回了错误的版本,建议采取什么措施?
What is the difference between these two checks, and what action is recommended if a bad version is returned from either command?
推荐答案
问了一些问题后其他地方 ,我目前的理解是:
After asking some questions elsewhere, my current understanding is this:
- OpenSSL永远不会与Ruby一起编译;简单地告诉Ruby,在编译时会在哪里寻找OpenSSL.
-
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'
应该告诉您Ruby将在哪里寻找各种可执行文件,包括OpenSSL - 重要的是该位置的OpenSSL副本是最新的;在那里找到CD,然后使用
./openssl version
进行查找. -
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
应该给出与直接运行openssl version
相同的答案,因为它实际上询问了Ruby用于报告其版本号的OpenSSL副本 -
OpenSSL::OPENSSL_VERSION
可能已过期;它报告编译时发现的版本.
- OpenSSL is never compiled along with Ruby; Ruby is simply told, at compile time, where to look for OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'
should tell you where Ruby will look for various executables, including OpenSSL- All that matters is that the copy of OpenSSL at that location is up-to-date; cd there and use
./openssl version
to find out. ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
should give the same answer as runningopenssl version
directly because it actually asks the copy of OpenSSL that Ruby is using to report its version numberOpenSSL::OPENSSL_VERSION
may be out-of-date; it reports the version it found when it was compiled.
这篇关于如何确保Ruby使用不受Heartbleed影响的OpenSSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文