John's Blog: SSL Vulnerabilities

April 9, 2014

From time to time, security reports come out that shed light on vulnerabilities in OpenSSL or other parts of the system. It's natural to ask how these issues might impact a Rumpus server.

My first piece of advice is to keep these reports in perspective. Most security flaws reported are highly technical, often theoretical, and difficult to actually implement in the real world. This isn't to say that general security reports should be dismissed, but they do tend to overshadow more practical security issues. For example, the use of trivial passwords, sharing of passwords among users, improperly configured services, etc. are much more widespread problems that deserve the attention of every Internet server administrator.

With that said, assuming you maintain good security practices and your server requires a high level of security, general SSL and system vulnerabilities are a very real concern.

Rumpus for Mac

Rumpus, of course, runs on top of OS X, which itself is built on a variation of Unix called Darwin. OS X includes a build of OpenSSL, which Rumpus uses to provide all SSL services (HTTPS, FTPS and SSL-encrypted WebDAV). A vulnerability reported in OpenSSL or any other component of OS X may potentially affect your server.

OpenSSL is not built into Rumpus. Rumpus uses the OpenSSL build installed with OS X on your server. The version of OpenSSL in use on your server will therefore depend on the version of OS X. To check, open Terminal and enter:

    openssl version

Note that while OpenSSL is included as part of OS X, it can be individually updated or replaced. If you like, you can download the latest version of OpenSSL, compile it, and install it on your server. Rumpus will then use that build. This means that if there is a security issue in OpenSSL, you are free to follow described procedures to correct the problem and update to any version OpenSSL of your choosing.

The Heartbleed Bug

A note about one specific report, the "Heartbleed Bug". This bug affects OpenSSL 1.0.1 through 1.0.1f only. OpenSSL 0.9.8 (any version) is specifically not affected. Mac OS X 10.6 through 10.9 all include, by default, some variation of OpenSSL 0.9.8. So, unless you have replaced OpenSSL in your system, your Rumpus server is not affected by this particular security flaw. However, please be sure to check your OpenSSL version, in case it has been updated (either intentionally or by the installation of some other software) to an affected version.

Rumpus for Windows

Rumpus for Windows does include OpenSSL as part of it's distribution. OpenSSL is a separate component (stored in C:\Rumpus\ApplicationFiles\), but it is installed by the Rumpus installer. Rumpus 7.2.20 and earlier included OpenSSL 1.0.1e, which is affected by the Heartbleed bug. In Rumpus 7.2.21, we have updated the OpenSSL distribution to 1.0.1g, which includes the necessary fix for the bug. If you are running Rumpus 7.2.20 or before, updating to version 7.2.21 or later is strongly recommended, and completely remedies the Heartbleed problem.

© Copyright 2017, Maxum Development Corp.