Page 1 of 1
HeartBleed Vulnerability Guidance
Posted: 11 Apr 2014 17:40
by shawniverson
Fellow EFA Users,
EFA is built on open source and uses OpenSSL. OpenSSL may be in use in your EFA environment if you are sending/receiving secure emails or are using HTTPS to secure your EFA.
Please run the following:
The version that you need after updating should be at least this version or higher:
1.0.1e-16.el6_5.7
Also, you should rekey your public certificates, if used, or generate a new self-signed certificate
Code: Select all
sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.old
sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old
sudo openssl req -new -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
service httpd restart
Also, be sure to change your passwords on your EFA too
Re: HeartBleed Vulnerability Guidance
Posted: 15 Apr 2014 23:55
by cyberwired
I knew I should of snapshot before I made changes...
Code: Select all
[root@efa log]# openssl req -new -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
Error opening Private Key /etc/pki/tls/private/localhost.key
139720718653256:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/tls/private/localhost.key','r')
139720718653256:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
Then a moment of stupidity, wondered whether httpd might need to be restarted first
Code: Select all
[root@efa log]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 105 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
[FAILED]
So now I'm broken...help!
Re: HeartBleed Vulnerability Guidance
Posted: 15 Apr 2014 23:59
by cyberwired
Right, so I fixed it, rather that doing what you said, the mv should be cp:
Code: Select all
sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.old
sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old
sudo openssl req -new -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
service httpd restart
Re: HeartBleed Vulnerability Guidance
Posted: 16 Apr 2014 09:24
by shawniverson
Correcting my instructions.
Re: HeartBleed Vulnerability Guidance
Posted: 16 Apr 2014 09:36
by shawniverson
There's another cert that is worth rotating...
Code: Select all
sudo cp /etc/postfix/ssl/smtpd.pem /etc/postfix/ssl/smtpd.pem.old
sudo openssl req -new -x509 -nodes -out /etc/postfix/ssl/smtpd.pem -keyout /etc/postfix/ssl/smtpd.pem -days 3650