Blog posts

OpenSSL Heartbleed... :\

Wow... Scary... A terrifying nightmare

Yesterday (April 7, 2014), the famous bug has been revealed and we found out that it existed for two years and no one knew about it. If you want to know what harm it can cause, just check this web site

It is really scary because, this means that almost every SSL private key could be stolen with the user passwords. Well, if the user passwords have already been stolen, there are nothing to do much on the server side. We can only warn users to change their passwords and I suggest everyone to change their e-mail, banking, forum, etc... passwords.

Well, if we want to stop our user passwords to be stolen by sniffing or interpreting our communication with the user, first, we should change our SSL keys. With the help of this web site, I have prepared following document to sign your own SSL certificates. Unfortunately, web page is dead now, but it can be reached through Web Archives.

  • Firstly, we need to generate a key for our server

  • openssl genrsa -des3 -out server.key 4096

  • Then, a signing request is needed

  • openssl req -new -key server.key -out server.csr

  • Now, using both signing request and key, we can sign our certificate

  • openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

  • We need to make a version of our key which doesn't require password. So, apache won't ask users to enter a password when they access to our web site.

  • openssl rsa -in server.key -out server.key.insecure
    mv server.key
    mv server.key.insecure server.key

  • Finally, these files should be copied into right directories (depends on your web server software)

  • This was what I did, also, I have replaced my OpenSSH server and client keys;

  • Deleted host keys and reconfigured OpenSSH;

  • rm /etc/ssh/ssh_host_*
    dpkg-reconfigure openssh-server

  • Updated client keys;

  • ssh-keygen

    That's all for tonight :) Please take immediate action for Heartbleed bug...

    P.s.: if you didn't already, you must upgrade your OpenSSL version to 1.0.1g in order to prevent future abuses.

    by zgrw on 2014-04-09 11:54:41