如何确保 Ruby 使用不受 Heartbleed 影响的 OpenSSL? [英] How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?
问题描述
在 Heartbleed 漏洞之后,这篇文章ruby-lang.org 上的 描述了如何检查漏洞和升级.
Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade.
它包括以下建议:
要验证您链接到 Ruby 的 OpenSSL 库的版本,请使用以下命令:
To verify which version of the OpenSSL library you link to Ruby, use the following:
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
要验证当前随 Ruby 一起安装的 OpenSSL 版本,请使用以下命令:
To verify the version of OpenSSL currently installed with Ruby, use the following:
ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
<小时>
这两种检查有什么区别,如果从任一命令返回错误版本,建议采取什么措施?
What is the difference between these two checks, and what action is recommended if a bad version is returned from either command?
推荐答案
在询问一些问题后 其他地方,我目前的理解是这样的:
After asking some questions elsewhere, my current understanding is this:
- OpenSSL 永远不会与 Ruby 一起编译;Ruby 会在编译时被简单地告知在何处查找 OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'
应该告诉你 Ruby 将在哪里寻找各种可执行文件,包括 OpenSSL- 重要的是该位置的 OpenSSL 副本是最新的;cd 那里并使用
./openssl version
找出. ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
应该给出与直接运行openssl version
相同的答案,因为它实际上要求 Ruby 使用的 OpenSSL 副本报告其版本号OpenSSL::OPENSSL_VERSION
可能已过时;它报告编译时找到的版本.
- OpenSSL is never compiled along with Ruby; Ruby is simply told, at compile time, where to look for OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'
should tell you where Ruby will look for various executables, including OpenSSL- All that matters is that the copy of OpenSSL at that location is up-to-date; cd there and use
./openssl version
to find out. ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
should give the same answer as runningopenssl version
directly because it actually asks the copy of OpenSSL that Ruby is using to report its version numberOpenSSL::OPENSSL_VERSION
may be out-of-date; it reports the version it found when it was compiled.
这篇关于如何确保 Ruby 使用不受 Heartbleed 影响的 OpenSSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!