How to mitigate and fix OpenSSL Heartbeat on CentOS or Ubuntu
Posted on Wednesday, April 9, 2014
- Cloud Sites Update: New Control Panel & Faster MySQLThursday, April 9, 2015
- Introducing New Server Networking FeaturesTuesday, March 10, 2015
- Getting started with Docker in minutes using Docker MachineFriday, February 20, 2015
- MEAN & Socket.IO Integration TutorialThursday, September 11, 2014
- Getting Started with MEAN StackWednesday, August 6, 2014
- How To Install Ruby on Rails on UbuntuSunday, December 29, 2013
- How To Deploy Django on Nginx, Gunicorn with PostgresTuesday, April 8, 2014
- How to Add Swap on UbuntuMonday, December 30, 2013
- Few CSS tricks you may not knowFriday, October 27, 2006
- CentOS 6 to CentOS 7 Upgrade ProcedureWednesday, July 16, 2014
Extremely critical security issue was recently discovered in OpenSSL. It has been found affecting versions 1.0.1 through 1.0.1f. All CentOS 6.5 versions are packaged with OpenSSL 1.0.1e-15 are all vulnerable to this bug. Note that older stable CentOS versions are not vulnerable to this bug. All Ubuntu versions since Ubuntu 12.04. This bug even got its own name, “heartbleed”.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read and “steal” 64k of memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Fixing it is relatively simple now that most Linux distributions have pushed out changes to their repositories containing a fixed version of OpenSSL. In order to patch this vulnerability, affected users should update to latest OpenSSL version. So, the update should be as easy as:
**Fedora/CentOS** # yum clean all # yum check-update # yum update **Ubuntu/Debian** # sudo apt-get update # sudo apt-get upgrade openssl
If all went without errors, that’s it. Now, let’s make sure that we are running version without security issues.
**Fedora/CentOS** # rpm -qa | grep openssl openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64 **Ubuntu/Debian** # openssl version OpenSSL 1.0.1 14 Mar 2012
Now, after we made sure we are using latest version, we need to regenerate your certificate using a new private key. This process is standard, first we should create certificate signing request, create new key and then create the certificate its self (if we are using our own certificates, or send CSR to certificate authority issuer to create the new certificate). Then, replace the old certificate and start using the new ones.
The next step is to make sure that we restart all the services that are using SSL certificates. For example, if we have apache web server we should execute:
**Fedora/CentOS** # /etc/init.d/httpd restart **Ubuntu/Debian** # sudo service apache2 restart
We should do that same for any other webserver or any other service that we use (Nginx, vsftpd, MySQL etc). Now we can sit back and relax. We are protected from the Heartbleed bug.comments powered by Disqus