如何确保 Ruby 使用不受 Heartbleed 影响的 OpenSSL? [英] How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

查看：20 发布时间：2022/1/7 18:58:44 ruby openssl heartbleed-bug

本文介绍了如何确保 Ruby 使用不受 Heartbleed 影响的 OpenSSL?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

在 Heartbleed 漏洞之后，这篇文章ruby-lang.org 上的描述了如何检查漏洞和升级.

Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade.

它包括以下建议:

要验证您链接到 Ruby 的 OpenSSL 库的版本，请使用以下命令:

To verify which version of the OpenSSL library you link to Ruby, use the following:

ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'

要验证当前随 Ruby 一起安装的 OpenSSL 版本，请使用以下命令:

To verify the version of OpenSSL currently installed with Ruby, use the following:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

<小时>

这两种检查有什么区别，如果从任一命令返回错误版本，建议采取什么措施?

What is the difference between these two checks, and what action is recommended if a bad version is returned from either command?

在询问一些问题后其他地方，我目前的理解是这样的:

After asking some questions elsewhere, my current understanding is this:

OpenSSL 永远不会与 Ruby 一起编译；Ruby 会在编译时被简单地告知在何处查找 OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]' 应该告诉你 Ruby 将在哪里寻找各种可执行文件，包括 OpenSSL
重要的是该位置的 OpenSSL 副本是最新的；cd 那里并使用 ./openssl version 找出.
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)' 应该给出与直接运行 openssl version 相同的答案，因为它实际上要求 Ruby 使用的 OpenSSL 副本报告其版本号
OpenSSL::OPENSSL_VERSION 可能已过时；它报告编译时找到的版本.

OpenSSL is never compiled along with Ruby; Ruby is simply told, at compile time, where to look for OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]' should tell you where Ruby will look for various executables, including OpenSSL
All that matters is that the copy of OpenSSL at that location is up-to-date; cd there and use ./openssl version to find out.
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)' should give the same answer as running openssl version directly because it actually asks the copy of OpenSSL that Ruby is using to report its version number
OpenSSL::OPENSSL_VERSION may be out-of-date; it reports the version it found when it was compiled.

这篇关于如何确保 Ruby 使用不受 Heartbleed 影响的 OpenSSL?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文