Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL

[Luke-Jr]

Sorry, but what is the actually BC version atm?

0.9.4 is current stable.
0.10.0rc3 is release candidate.

[OnkelPaul]

Today Ubuntu 14.10 had the new bitcoin-qt and bitcoind binaries. Kudos to the package maintainers!
Now bitcoin-qt reindexes the blocks, it's taking forever 
I'm all for using a less volatile EC library (and static linking) to avoid this in the future...

Onkel Paul

[uki]

Today Ubuntu 14.10 had the new bitcoin-qt and bitcoind binaries. Kudos to the package maintainers!
Now bitcoin-qt reindexes the blocks, it's taking forever 
I'm all for using a less volatile EC library (and static linking) to avoid this in the future...

Onkel Paul

Ubuntu 14.04 myself, after the latest repository update of openssl 1.0.1f problems started.
I am reindexing right now, for the last 12+ hours (stacked somewhere in August 2014 with about 30k blocks to go).
Do you know if there is any way to speed it up?

[OnkelPaul]

I am reindexing right now, for the last 12+ hours (stacked somewhere in August 2014 with about 30k blocks to go).
Do you know if there is any way to speed it up?

Nope, I guess indexing the blocks just takes its time since it covers all transactions, and there are a lot of transactions by now...
Mine is in May 2014, 33 weeks to go.

Onkel Paul

[cypherdoc]

so i have openssl 1.0.1f but everything seems up to date with the blockchain w/o any obvious problems.  any need to reindex?

[Luke-Jr]

so i have openssl 1.0.1f but everything seems up to date with the blockchain w/o any obvious problems.  any need to reindex?

If you have 0.9.4 or 0.10.0rc3, and your blockchain isn't stuck already, you don't need to reindex.
If you're not on the latest versions, then if your blockchain isn't stuck, it will be eventually.

[codyswanson4]

Damn...Saw this a little too late...oh well...I'm on the school's internet 

[cypherdoc]

so i have openssl 1.0.1f but everything seems up to date with the blockchain w/o any obvious problems.  any need to reindex?

If you have 0.9.4 or 0.10.0rc3, and your blockchain isn't stuck already, you don't need to reindex.
If you're not on the latest versions, then if your blockchain isn't stuck, it will be eventually.

so i just upgraded from 0.9.3 to 0.9.4 but left openssl at 1.0.1f.  blockchain is not stuck at this pt.  ok?

[davidpbrown]

For Linux users not on Ubuntu could we get https://bitcoin.org/en/download updated with the .tgz and/or some suggestion of which repository can be trusted.. and perhaps have the News alert on this site updated with a pointer to downloads, as that was always useful.

[milly6]

Kind of makes me glad I haven't bothered upgrading openssl in some time.

If you havent upgraded in some time you are likely vulnerable to heartbleed.

[rgenito]

I thought OpenSSL has always been a joke...right?

[fenghush]

I thought OpenSSL has always been a joke...right?

A joke on which a lot of the internet relies on.

[Cryddit]

The problem is that we are using the current version of SSL (whatever's on the system/linked) to check the validity of blocks that were accepted with past versions of SSL.  

This is why the makefile for bitcoind specified static linking in the first place.

I am ... upset.  We should be using current versions of SSL for communications, because SSL gets valuable security upgrades.  But we should be using it for protocol only, because checking past blocks with a version that was not the version which governed their acceptance  risks exactly this sort of divergence.  Our need for SSL as a communications protocol does not affect the validity of data already transmitted.  

SSL will continue to change, and those changes cannot be allowed to affect data already transmitted and received, nor our software's opinion about whether that already-accepted data is valid.  Neither our stored blockchain data nor our ability to check our stored data should have anything to do with it.

Our need for cryptographic functions once a block is accepted are different, and absolutely NOT subject to revision.  That is, whatever's required to CHECK blockchain validity absolutely must not be something that can be altered by any change in a system library.  

I presume that SSL will continue to "tighten" its spec - that is, whatever is acceptable to future versions will also be acceptable to past versions. Therefore using routines from a three-year-old version of SSL to check data transmitted and received using the current version of SSL ought never fail, and using the current version for communications should get us the benefit of security fixes.  Updated routines can be compiled into the client NO SOONER THAN they are known to work with the entire current blockchain.


Cryddit

[Blazr]

I'm using 1.0.1h.

Is this version OK?
It's still finishing up syncing and hasn't stuck yet.

[ShadowOfHarbringer]

New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?

[Luke-Jr]

New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?

All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.

[ShadowOfHarbringer]

New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?

All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.

Oh, that is just beautiful.

[Luke-Jr]

New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?

All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.

Oh, that is just beautiful.

We're working on a 0.9.5 (and 0.10 of course) that will softfork to make us independent of OpenSSL so this can never happen again.
See sipa's proposal at http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg06744.html

[ShadowOfHarbringer]

New versions of OpenSSL such as 1.0.0Q and 1.0.0L came out.

Are they affected by the bug ?

All new versions of OpenSSL for the foreseeable future will be affected.
They don't see it as a bug, as they never guaranteed consensus compatibility.

Oh, that is just beautiful.

We're working on a 0.9.5 (and 0.10 of course) that will softfork to make us independent of OpenSSL so this can never happen again.
See sipa's proposal at http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg06744.html

Yeah, I already know about this. Good work, guys. (Yes - you too, Luke - even though i really hate your Gentoo patches).

[dexX7]

ubuntu 14.04

http://ppa.launchpad.net/bitcoin/bitcoin/ubuntu trusty main

affected?

same OS, my version is:

Code:

OpenSSL 1.0.1f 6 Jan 2014

I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?

well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.

I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.