HeartBleed Vulnerability Guidance

Questions and answers about how to do stuff
Post Reply
User avatar
shawniverson
Posts: 3649
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:
Contact shawniverson

HeartBleed Vulnerability Guidance

Post by shawniverson »

Fellow EFA Users,

EFA is built on open source and uses OpenSSL. OpenSSL may be in use in your EFA environment if you are sending/receiving secure emails or are using HTTPS to secure your EFA.

Please run the following:

Code: Select all

sudo yum -y install openssl
The version that you need after updating should be at least this version or higher:

1.0.1e-16.el6_5.7

Also, you should rekey your public certificates, if used, or generate a new self-signed certificate

Code: Select all

sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.old
sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old
sudo openssl req -new -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
service httpd restart
Also, be sure to change your passwords on your EFA too :D
Top
cyberwired
Posts: 33
Joined: 03 Jan 2014 21:57

Re: HeartBleed Vulnerability Guidance

Post by cyberwired »

I knew I should of snapshot before I made changes...

Code: Select all

[root@efa log]# openssl req -new -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
Error opening Private Key /etc/pki/tls/private/localhost.key
139720718653256:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/tls/private/localhost.key','r')
139720718653256:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
Then a moment of stupidity, wondered whether httpd might need to be restarted first

Code: Select all

[root@efa log]# service httpd restart
Stopping httpd: [  OK  ]
Starting httpd: Syntax error on line 105 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
[FAILED]
So now I'm broken...help!
Top
cyberwired
Posts: 33
Joined: 03 Jan 2014 21:57

Re: HeartBleed Vulnerability Guidance

Post by cyberwired »

Right, so I fixed it, rather that doing what you said, the mv should be cp:

Code: Select all

sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.old
sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old
sudo openssl req -new -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
service httpd restart
Top
User avatar
shawniverson
Posts: 3649
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:
Contact shawniverson

Re: HeartBleed Vulnerability Guidance

Post by shawniverson »

Correcting my instructions.
Top
User avatar
shawniverson
Posts: 3649
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:
Contact shawniverson

Re: HeartBleed Vulnerability Guidance

Post by shawniverson »

There's another cert that is worth rotating...

Code: Select all

sudo cp /etc/postfix/ssl/smtpd.pem /etc/postfix/ssl/smtpd.pem.old
sudo  openssl req -new -x509 -nodes -out /etc/postfix/ssl/smtpd.pem -keyout /etc/postfix/ssl/smtpd.pem -days 3650
Top
Post Reply

Return to “How-to”