Running OpenSSL on anything?

You need to upgrade to version 1.0.1g or patch your existing install right now!

I run a bunch of Debian based system so I upgraded them all to version 1.0.1g (1.0.1e is the default available from the Debian repos but I don’t know if it has been patched so I just opted to upgrade manually to 1.0.1g).

See the security advisory here – https://www.openssl.org/news/secadv_20140407.txt

Here is the quick and dirty guide (commands run as root):

First, check which version of OpenSSL you are running:

openssl version

My Debian system returned:

OpenSSL 1.0.1e 11 Feb 2013

So it needs upgrading. Use the commands below to go and grab version 1.0.1g from www.openssl.org and install it:

cd /usr/src/
wget www.openssl.org/source/openssl-1.0.1g.tar.g
tar xfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared
make
make install

Once it’s done (if you don’t get any errors) you can check the version by running:

openssl version

It should return something like:

OpenSSL 1.0.1g 7 Apr 2014

This vulnerability has been around for a while so it’s probably best to re-key your SSL certificate just to make sure. Your own SSL certificate provider will be able to help you with this but you must make sure that the old certificate is also revoked at the same time as some providers don’t do that automatically when you re-key.

****EDIT****

You can test your server using this handy tool – http://filippo.io/Heartbleed/



Share on Google+Share on FacebookTweet about this on TwitterPin on PinterestShare on StumbleUpon

« »