aiScaler and the Heartbleed vulnerability
Posted by Max Robbins on April 13th, 2014On Monday, April 7th 2014, an OpenSSL vulnerability was disclosed which has been called one of the worst security holes in recent internet history. The bug, called the Heartbleed bug, was introduced in OpenSSL version 1.0.1. It has been in the wild since March of 2012 and is patched with OpenSSL version 1.0.1g released on April 7th 2014. The problem, tagged CVE-2014-0160, is described in detail here.
The bug allows any attacker to read the memory of a vulnerable host, which means that any keys that have been used on a host with a vulnerable version of OpenSSL should be considered compromised. Distributions have been updating their packages and pushing out updates, but users need to pull down the most recent packages and revoke any previous keys based on insecure versions.
We’ll show you how to update your systems with a secure version of OpenSSL, revoke any insecure SSL certificates, and test whether you are vulnerable or not.
You are only affected when using SSL (HTTPS) on your server.
Updating OpenSSL
sudo apt-get update sudo apt-get install --only-upgrade openssl sudo apt-get install --only-upgrade libssl1.0.0
Checking your Version Numbers
sudo dpkg -l | grep "openssl"
You should receive output like this:
ii openssl 1.0.1-4ubuntu5.12 Secure Socket Layer (SSL) binary and related cryptographic tools ii python-openssl 0.12-1ubuntu2 Python wrapper around the OpenSSL library
Revoking and Reissuing your SSL Certs/Keys
If you have purchased an SSL certificate from a provider and you have updated your OpenSSL packages on your server, you will need to revoke your old keys and you’ll have to reissue new keys. This is a process known as “rekeying”.
This process is very dependent upon the SSL service that issued your initial certificate, but you should search their administration interface for an option that is similar to “rekey” or “reissue keys”. Most SSL issuers will revoke your former key when you rekey, but you can usually also do this explicitly using their administrative interface.
Follow the directions that your SSL provider gives you. They may give you very specific instructions for how to regenerate a CSR, or they may not.
If they do not provide you with the specific openssl commands that they would like you to use, you can generate your new SSL CSR by typing something like this:
openssl req -new -newkey rsa:2048 -nodes -keyout hostname.key -out hostname.csr
You will need to copy your generated CSR into your provider’s web interface after generation in order to rekey your server. You will then need to download the new certificate from the web interface.
You will have to install the new keys to the same location that your old keys and certificates were kept. The path that you’ll need to use for your certificate and keys will vary by distribution and how you configured your web server. Then update your aiScaler configuration:
nano /etc/aicache/aicache.cfg
server_ip * # DEFAULT: we listen on all IPs/NICs defined on this host server_port 80 # DEFAULT: we run on default HTTP port 80 listen https * 443 /etc/aicache/NewCertificate.crt /etc/aicache/NewPrivateKey.key AES256-SHA:RC4-MD5 hostname.com
Restarting aiScaler
sudo service aicache restart