How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

Question 1

ruby openssl heartbleed-bug

Nathan Long · Apr 10, 2014 · Viewed 14.6k times · Source

Answer

Answer

After asking some questions elsewhere, my current understanding is this:

OpenSSL is never compiled along with Ruby; Ruby is simply told, at compile time, where to look for OpenSSL.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]' should tell you where Ruby will look for various executables, including OpenSSL
All that matters is that the copy of OpenSSL at that location is up-to-date; cd there and use ./openssl version to find out.
ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)' should give the same answer as running openssl version directly because it actually asks the copy of OpenSSL that Ruby is using to report its version number
OpenSSL::OPENSSL_VERSION may be out-of-date; it reports the version it found when it was compiled.

Question 2

Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade.

It includes this advice:

To verify which version of the OpenSSL library you link to Ruby, use the following:

ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'

To verify the version of OpenSSL currently installed with Ruby, use the following:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

What is the difference between these two checks, and what action is recommended if a bad version is returned from either command?