1

I have the following check in Serverspec tests:

openssl_latest_version = 'OpenSSL 1.0.2h  3 May 2016'

describe command('openssl version') do
  its(:stdout) { should match openssl_latest_version }
end

Is there a way to automatically fetch the string that the latest officially released OpenSSL returns on executing openssl version? I.e. automatically set openssl_latest_version based for example on some curl call.

My intention is that the test should fail if installed version is later than the one currently published by OpenSSL as latest at the moment of running the test, but without human updating the parameters.

I do not want to check it against a version available in package manager for any specific OS version, I do not want to install latest version, I simply want the test to fail when the running version is different than the one announced as recent.

techraf
  • 4,163
  • 8
  • 27
  • 44
  • 1
    Because of its criticality, all distros I've seen do not use trunk openssl and so for practical purposes your test can simply be **'always fail'**. However, be sure you report only that 'version string is older', not that it is insecure, because usually it is backpatched and is secure -- though not always. – dave_thompson_085 Jun 18 '16 at 13:15
  • There is nothing in my question about "distros". It is completely irrelevant how the servers are provisioned, assume a contractor does it. The requirement is given the test must fail if **executed** `openssl version` gives **different** version number than latest version published by OpenSSL maintainers. This is a simple question how to and (maybe more importantly) where from reliably get this version number. This question is not about the consequences and meaning of a failed/passed test. – techraf Jun 18 '16 at 14:05

2 Answers2

0

Here's a terrible little shell script that can do that:

$ lynx -dump https://www.openssl.org/source/ |  
grep -- 'https://www.openssl.org/source/openssl-.*.tar.gz$' |  
awk '{print $2}' |  
sort -r |  
grep -v -- '-fips-' |  
grep -v -- '-pre' |  
head -n1 |  
sed -n -- 's_^https://www.openssl.org/source/openssl-\(.*\).tar.gz$_\1_p'

And the output, as of just now, is:

1.0.2h
StackzOfZtuff
  • 1,754
  • 12
  • 21
  • I'd do the match & trim first, then you don't need the rather fragile `$2`, and with awk it can easily do the exclusions at the same time. To be pedantic, this returns **highest not latest**; e.g. if 1.1.0 comes out soon, it is quite conceivable they might thereafter patch 1.0.2i without needing 1.1.0a. Given the Q, I'm not sure which should be considered right. – dave_thompson_085 Jun 18 '16 at 13:20
-2

You're jumping a few links in the chain. You need to check the latest version available in your package manager depending on the OS you're running. If you manage your own packages (For example SpaceWalk for RedHat derivatives), then that adds a few links to your chain because you'll also be managing the packages that are available upstream, so you could look to that as the source of truth.

If you're jumping completely outside of supported versions of openssl for your distro and going straight to the openssl project's latest and greatest, WELL OKAY THEN PARTNER, LET'S WRECK THIS PLACE LIKE IT AIN'T NO THANG! ᕕ( ᐛ )ᕗ

You'll want to use openssl's github repo, clone and check the version, then compile and install. Snarling up dependencies has never been so easy or secure!

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • I don't quite understand your answer. I wrote clearly I want to compare the installed version number with the one announced as latest by OpenSSL. I don't want to check it against package manager. I don't want to compile or use dev version. I want the test to fail, when currently installed version is different than the one announced as latest. That's my intention. – techraf Jun 18 '16 at 07:11
  • @techraf And lucky you, I answered exactly your question, and then some! – Wesley Jun 18 '16 at 11:46