Loading ...
close

Would you like to discuss your environment with a knowledgable engineer?

Preferred communication *

Thank you. We will be in touch with you shortly

aiScaler and the Heartbleed vulnerability

Posted by on April 13th, 2014

On Monday, April 7th 2014, an OpenSSL vulnerability was disclosed which has been called one of the worst security holes in recent internet history. The bug, called the Heartbleed bug, was introduced in OpenSSL version 1.0.1. It has been in the wild since March of 2012 and is patched with OpenSSL version 1.0.1g released on April 7th 2014. The problem, tagged CVE-2014-0160, is described in detail here.

The bug allows any attacker to read the memory of a vulnerable host, which means that any keys that have been used on a host with a vulnerable version of OpenSSL should be considered compromised. Distributions have been updating their packages and pushing out updates, but users need to pull down the most recent packages and revoke any previous keys based on insecure versions.

We’ll show you how to update your systems with a secure version of OpenSSL, revoke any insecure SSL certificates, and test whether you are vulnerable or not.

You are only affected when using SSL (HTTPS) on your server.

Updating OpenSSL

sudo apt-get update
sudo apt-get install --only-upgrade openssl
sudo apt-get install --only-upgrade libssl1.0.0

Checking your Version Numbers

sudo dpkg -l | grep "openssl"

You should receive output like this:

ii  openssl                          1.0.1-4ubuntu5.12            Secure Socket Layer (SSL) binary and related cryptographic tools
ii  python-openssl                   0.12-1ubuntu2                Python wrapper around the OpenSSL library

Revoking and Reissuing your SSL Certs/Keys

If you have purchased an SSL certificate from a provider and you have updated your OpenSSL packages on your server, you will need to revoke your old keys and you’ll have to reissue new keys. This is a process known as “rekeying”.

This process is very dependent upon the SSL service that issued your initial certificate, but you should search their administration interface for an option that is similar to “rekey” or “reissue keys”. Most SSL issuers will revoke your former key when you rekey, but you can usually also do this explicitly using their administrative interface.

Follow the directions that your SSL provider gives you. They may give you very specific instructions for how to regenerate a CSR, or they may not.

If they do not provide you with the specific openssl commands that they would like you to use, you can generate your new SSL CSR by typing something like this:

openssl req -new -newkey rsa:2048 -nodes -keyout hostname.key -out hostname.csr

You will need to copy your generated CSR into your provider’s web interface after generation in order to rekey your server. You will then need to download the new certificate from the web interface.

You will have to install the new keys to the same location that your old keys and certificates were kept. The path that you’ll need to use for your certificate and keys will vary by distribution and how you configured your web server. Then update your aiScaler configuration:

nano /etc/aicache/aicache.cfg
server_ip *                      # DEFAULT: we listen on all IPs/NICs defined on this host
server_port 80                   # DEFAULT: we run on default HTTP port 80
listen https * 443 /etc/aicache/NewCertificate.crt /etc/aicache/NewPrivateKey.key AES256-SHA:RC4-MD5 hostname.com

Restarting aiScaler

sudo service aicache restart

Testing your Server

http://filippo.io/Heartbleed/

Leave Comment

US (208) 948-9786‬   EU ‭+31 621302365