Tag Archives: openssl

Test your SSL.

SSL Server Test

This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. Please note that the information you submit here is used only to provide you the service. We don’t use the domain names or the test results, and we never will.

 

5 Sets to secure you against OpenSSL the Heartbleed Bug

 

“Leaked secret keys allows the attacker to decrypt any past and future traffic”
http://heartbleed.com/

Protect your Server Against the Heartbleed OpenSSL Vulnerability

Update your System

PLEASE NOTICE: Backup all your system before big updates!

Ubuntu and Debian

sudo apt-get update
sudo apt-get dist-upgrade

CentOS and Fedora

yum update

 

Checking your Version Numbers

Debian and Ubuntu Releases and Fix Versions

dpkg -l | grep "openssl"
  • Ubuntu 10.04: Unaffected (Shipped with older version prior to vulnerability)
  • Ubuntu 12.04: 1.0.1-4ubuntu5.12
  • Ubuntu 12.10: 1.0.1c-3ubuntu2.7
  • Ubuntu 13.04: SUPPORT END OF LIFE REACHED, SHOULD UPGRADE
  • Ubuntu 13.10: 1.0.1e-3ubuntu1.2
  • Debian 6 (Squeeze): Unaffected (Shipped with older version prior to vulnerability)
  • Debian 7 (Wheezy): 1.0.1e-2+deb7u6
  • Debian testing (Jessie): 1.0.1g-1
  • Debian unstable (Sid): 1.0.1g-1

If you are using Ubuntu 13.04 its HIGHLY RECOMMENDED for you to upgrade your version.
PLEASE NOTICE: Backup all your system before big updates!
Check for your OpenSSL version
dpkg -l | grep “openssl”

Check for your Ubuntu version
lsb_release -a

root@localhost:~# dpkg -l | grep "openssl"
ii libcurl4-openssl-dev 7.29.0-1ubuntu3.4 amd64 development files and documentation for libcurl (OpenSSL flavour)
ii libgnutls-openssl27:amd64 2.12.23-1ubuntu1.1 amd64 GNU TLS library - OpenSSL wrapper
ii openssl 1.0.1c-4ubuntu8.2 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
root@localhost:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 13.04
Release: 13.04
Codename: raring

CentOS and Fedora Releases and Fix Versions

rpm -q -a | grep "openssl"
  • CentOS 5: Unaffected (Shipped with older version prior to vulnerability)
  • CentOS 6: openssl-1.0.1e-16.el6.5.7
  • Fedora 17: Unaffected (Shipped with older version prior to vulnerability)
  • Fedora 19: openssl-1.0.1e-37.fc19.1If your OpenSSL Fedora version number doesn’t ends in .1 you are vulnerable!

 

Check for your OpenSSL version
rpm -q -a | grep “openssl”

Check for your Ubuntu version
cat /etc/redhat-release

[root@stream4 ~]# rpm -q -a | grep "openssl"
openssl-1.0.1e-16.el6_5.4.x86_64
[root@stream4 ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)

 

Revoking and Reissuing your SSL Certs/Keys

  • regenerate your certificate using a new private key
  • create new key and then create the certificate or send CSR to certificate authority issuer to create the new certificate
  • replace the old certificate and start using the new ones.

 

Continue reading Protect your Server Against the Heartbleed OpenSSL Vulnerability

Dreamhost HeartBleed – infected?

 Dreamhost Forum

Hello There, We can confidently let you know that our shared servers and VPS guests are NOT vulnerable to it since they run Debian Lenny and/or Squeeze . The most common version of OpenSSL on our network is 0.9.8o-4squeeze14. “HeartBleed” vulnerability in OpenSSL’s heartbeat module in versions 1.0.1 and 1.0.2-beta

Cheers!
Matt C

From https://discussion.dreamhost.com/thread-140702-post-174286.html#pid174286

Dreamhost Status

As soon as we learned of the “Heartbleed” OpenSSL vulnerability, we began to patch any and all systems that it may have affected. Fortunately this was a very small subset of our systems and was mostly isolated to a small group of mail machines. As of early yesterday, all of our systems are patched. As a preventative measure, we are also re-keying the certificates on any systems with that bug. We have no reason to believe that any of those machines have been compromised, but in the interest of proactive security, we feel that changing SSL certificates is the best option.

DreamHost.com was not vulnerable, but the machines that redirected traffic to our actual site were. This was corrected quickly and those machines will also have their certificates re-keyed.

We can confidently say that our shared servers, VPS guests, and dedicated machines are NOT vulnerable to this issue because they run Debian “Lenny” and/or “Squeeze”. The most common version of OpenSSL on our network is 0.9.8o-4squeeze14, and the “HeartBleed” vulnerability in OpenSSL’s heartbeat module exists in versions 1.0.1 and 1.0.2-beta.

If you have any questions or concerns, please don’t hesitate to contact our support team.

 

OpenSSL Security Advisory [07 Apr 2014] – TLS heartbeat read overrun

 

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.