Are you an OpenBSD 5.9 user? Are you using LetsEncrypt Free SSL?

Guess what!? After my latest certificate renew, My server started getting this error:

This server is vulnerable to the OpenSSL Padding Oracle 
vulnerability (CVE-2016-2107) and insecure. Grade set to F.

After some research, I went to #openbsd channel at irc.freenode.net and found some nice guys there that helped to solve it so I’d like to share with you some nice lessons I learned.

This problem is generated because of a missing security patch. Ok, in ubuntu it’s easy to upgrade your system. apt-get update and apt-get upgrade and that’s it right?

In OpenBSD you can follow the security patches at this url:

http://www.openbsd.org/errata59.html

You can apply the patch using the source code diff directly in the source of the files. In this case should be LibreSSL.

Since I don’t have the source code of all my installed packages, I’m gonna show you how to apply binpatches using Mtier.

https://stable.mtier.org/

As you can see the instructions on this website is here:

1) Download M:Tier public key:

doas -s

cd /etc/signify

ftp https://stable.mtier.org/mtier-59-pkg.pub

2) Update your PKG_PATH:

PKG_PATH=https://stable.mtier.org/updates/$(uname -r)/$(arch -s):${PKG_PATH}

export PKG_PATH

And then let’s apply the patches. In my case I applied the security patch for Crypto:

pkg_add binpatch59-amd64-crypto

3) You can also upgrade all packages in your system using:

pkg_add -u

If you want to apply the security patch for SSHD, you can just replace the last word in the command for what you want to patch:

pkg_add binpatch59-amd64-sshd

I don’t need to mention that in my case the arquitecture is amd64, but in your case could be different, so keep your eyes on it.

That’s it for today! Thanks!