Comment by phillmv
12 years ago
Given the severity of this bug, the UX of the site is failing anyone who isn't a fulltime sysadmin.
Suggestion: big, bold TLDR ("The sky is falling. Check your OpenSSL version right now") with a link on what to do sorted by OS vendor.
Step 1: Here's a command to spit out your OpenSSL version. If it is the following string, go to step 2.
Step 2: Here's how to update your OpenSSL. Here are links to guides on reissuing keys.
Probably OK the whole remediation bit links to a wiki that gets updated as the various vendors push their patches.
Agree. This needs a big fat the world is coming to an end stlye of warning.
I've just shut down the webservers running SSL that I can control. If you are vuln and don't want to build openssl from source and can afford the outage. I'd reccomend to do the same.
OTHERWISE BUILD FROM SOURCE IMMEDIATELY, PATCH, AND GET NEW KEYS!
Let's hope CA's don't get swamped by all the CSR's. Or rather let's hope they do so we see people are doing something...
For me right now these are just my hobby projects. So I don't care if they're down. But I imagine it will be fun tomorrow.
And when it's fixed, get new keys.
Btw: I'm a dev. Not a sysadmin though :P
Edit: Debian is patched. I'm online again \o/
Ok, anyone could assist me on how to update openssl without breaking anything? I've fetched newest sources from openssl.org and compiled them, but "make install" doesn't actually install it, it only got compiled, but issuing "openssl version" still gives me the old version.
What I want to do is to patch it so our webserver uses new version.
I would tread lightly here if you aren't comfortable with compiling. Rather than break your website, it might be better to take it down until your distro's packages are available.
You should probably spend your time investigating a good method of reissuing keys for when you get to a stable OpenSSL version.
Some apps have OpenSSL statically compiled into the binaries. Beware that what you think is fixed may not be.
3 replies →
Not to sound like a commercial for Cloudflare or anything. But putting your infrastructure behind their services can protect users while they perform their patching. According to their latest blog post http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerab...
On a linux box: [For each set of certs used for each of your public facing sites...]
1. Open a terminal[cd into] /etc/path_to_ssl_certs_folder[per site].
Ex. /etc/ssl/nginx
2. Regen the certs [example nginx mail server]
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mailkey.pem -out mailcert.pem
[this command generates a private key and server cert and outputs to pem's] [Note also the key sizes are 4096, you may want 2048. AND I use -sha256, as sha1 is considered too weak nowadays. These certs are valid for 3650 days...10 years]
Since the command overwrites certs/keys in the current directory of the same name as the outfiles...that's it...you're done. Just restart nginx.
If you change a self-signed cert, like above, expect a new warning from the client on the next connection...this is just your new cert being encountered. Click permantly accept..blah blah.
------------------------------------------------------------------------
On a Windows box:
1. open an admin cmd window and run 'mmc'.
2. Add a new snap-in for Certificates as local machine.
3. Find and 'Disable all purposes for this cert'.
4. Import your new certs from your 3rd party or that you rolled yourself from your enterprise CA.
5. Test new cert.
6. Delete old cert.
[If you run your own CA, you should already know what to do...]
Agreed. They should reorder their headings, first should be What is it? and second should be How to stop it?
On my CentOS boxes I ran 'yum list | grep openssl'
This is the standard command:
@stormbrew is correct about ubuntu, use -a or -v -b
4 replies →
As far as I can tell, on ubuntu this reports "OpenSSL 1.0.1 14 Mar 2012" for all ubuntu versions, including the fixed one.
5 replies →