如何确保Ruby使用不受Heartbleed影响的OpenSSL? [英] How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

查看：105 发布时间：2020/5/21 2:09:56 ruby openssl heartbleed-bug

本文介绍了如何确保Ruby使用不受Heartbleed影响的OpenSSL?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

继Heartbleed错误之后，这篇文章在ruby-lang.org上介绍了如何检查漏洞和升级.

Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade.

它包含以下建议:

要验证链接到Ruby的OpenSSL库的版本，请使用以下命令:

To verify which version of the OpenSSL library you link to Ruby, use the following:

ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'

要验证当前随Ruby安装的OpenSSL版本，请使用以下命令:

To verify the version of OpenSSL currently installed with Ruby, use the following:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

这两项检查之间有什么区别?如果从任何一条命令返回了错误的版本，建议采取什么措施?

What is the difference between these two checks, and what action is recommended if a bad version is returned from either command?

问了一些问题后其他地方，我目前的理解是:

After asking some questions elsewhere, my current understanding is this:

OpenSSL永远不会与Ruby一起编译；简单地告诉Ruby，在编译时会在哪里寻找OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'应该告诉您Ruby将在哪里寻找各种可执行文件，包括OpenSSL
重要的是该位置的OpenSSL副本是最新的；在那里找到CD，然后使用./openssl version进行查找.
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'应该给出与直接运行openssl version相同的答案，因为它实际上询问了Ruby用于报告其版本号的OpenSSL副本
OpenSSL::OPENSSL_VERSION可能已过期；它报告编译时发现的版本.

OpenSSL is never compiled along with Ruby; Ruby is simply told, at compile time, where to look for OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]' should tell you where Ruby will look for various executables, including OpenSSL
All that matters is that the copy of OpenSSL at that location is up-to-date; cd there and use ./openssl version to find out.
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)' should give the same answer as running openssl version directly because it actually asks the copy of OpenSSL that Ruby is using to report its version number
OpenSSL::OPENSSL_VERSION may be out-of-date; it reports the version it found when it was compiled.

这篇关于如何确保Ruby使用不受Heartbleed影响的OpenSSL?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文