OpenSSL, the widely used software to encode web communication faced a serious security flaw named “Heartbleed bug“. Filippo Valsorda has implemented a testing tool http://filippo.io/Heartbleed/, it will help to check whether your website is infected or not. Here, we have provided a solution to fix Heartbleed issue, before that let us understand “Heartbleed” in details.
Heartbleed bug has influenced many websites because this bug can read the memory of a vulnerable host. The bug compromised the keys used on a host with OpenSSL vulnerable versions. To fix Heartbleed bug, users have to update their older OpenSSL versions and revoke any previous keys. We will here present a procedure to update the system with a secure OpenSSL versions.
Update OpenSSL version
For Ubuntu and Debian system update:
If you are using Ubuntu and Debian, then you have to follow the below steps to update your system.
sudo apt-get update sudo apt-get dist-upgrade
By providing, the above command your entire system will be updated. However, if you want to upgrade only the affected packages then the type the following code.
sudo apt-get install --only-upgrade openssl sudo apt-get install --only-upgrade libssl1.0.0
For CentOS and Fedora update:
You can type the following code to update the entire system.
If you wish to update only the affected OpenSSL packages, then you should type the below code.
yum update openssl
For a 64-bit System Update:
If you run a 64-bit system, then you have to type the below code to update the system.
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-37.fc19.1 yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm
For a 32-bit System Update:
If you run a 32-bit system, then you have to type the below code to update the system.
yum -y install koji koji download-build --arch=i686 openssl-1.0.1e-37.fc19.1 yum localinstall openssl-1.0.1e-37.fc19.1.i686.rpm
For Arch Linux Update:
If you have Arch Linux then you have to type the following word string. Please update the entire system, as Arch Linux is a very unstable system. Therefore, avoid updating only affected versions.
sudo pacman -Syu
After updating all the system, kindly reboot your machine to check the system status. For that, you have to type the following code.
sudo shutdown -r now
How can you check the updated version of OpenSSL?
After updating the latest version, you can check the OpenSSL version according to the system that you have installed.
For Debian release and fix versions:
You have to type the below code to get the updated version of OpenSSL.
dpkg -l | grep "openssl"
After typing the above code, you will receive the below output.
ii openssl 1.0.1e-2+deb7u6 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
If your version of OpenSSL is the recent as the version listed below for your distribution, you should be protected:
- Debian 6 (Squeeze): Unaffected (Shipped with older version prior to vulnerability)
- Debian 7 (Wheezy): 1.0.1e-2+deb7u6
- Debian testing (Jessie): 1.0.1g-1
- Debian unstable (Sid): 1.0.1g-1
For Ubuntu release and fix versions:
For Ubuntu users, the correct, patched version is also release-dependent. Use this list to see the minimum secure version for your release:
- Ubuntu 10.04: Unaffected (Shipped with older version prior to vulnerability)
- Ubuntu 12.04: 1.0.1-4ubuntu5.12
- Ubuntu 12.10: 1.0.1c-3ubuntu2.7
- Ubuntu 13.04: SUPPORT END OF LIFE REACHED, SHOULD UPGRADE
- Ubuntu 13.10: 1.0.1e-3ubuntu1.2
If you are on one of the supported distros, ensure that your OpenSSL version is up-to-date. If your distribution is not supported anymore (Ubuntu 13.04), it is highly recommended that you transition to a supported operating system due to this bug’s severity.
For CentOS and Fedora Releases and Fix Versions
For CentOS and Fedora systems, you have to type the following code line.
rpm -q -a | grep "openssl"
After typing the above code, you will receive output that looks like below:
We have given the below protected versions of CentOS and Fedora systems.
- CentOS 5: Unaffected (Shipped with older version prior to vulnerability)
- CentOS 6: openssl-1.0.1e-16.el6.5.7
- Fedora 17: Unaffected (Shipped with older version prior to vulnerability)
- Fedora 19: openssl-1.0.1e-37.fc19.1
For Arch Linux Fix Versions:
To check the installed version of OpenSSL, you should type the below code line.
pacman -Q | grep "openssl"
After that, you will receive output that looks like this:
IIS and HeartBleed
If your website or application running on Windows operating system and IIS, you don’t need to worry about HeartBleed vulnerability. Here is the excerpt from official blog post published on IIS.net
Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.
Default configuration of Windows do not includes OpenSSL and as a result it is not affected by this vulnerability. Windows operating system and IIS has its own encryption component which is known as Secure Channel (SChannel) and it is not vulnerable to HeartBleed bug.
If you are running any application, website or software on Windows that uses OpenSSL instead of SChaneel, it may be vulnerable and we recommend following guidelines provided in this article to fix HeartBleed vulnerability.
Delete SSL key set
- Now, make out a list of websites that are equipped with SSL certificates.
- After that, delete all SSL keys, private and CSR key
- Finally, create a new private key and CSR key for each of your website. However, remember that your keys should be of 2048-bit key length.
Reissue/regenerate SSL key
If you are a customer of ClickSSL, then do not worry, and read this to regenerate/reissue SSL process. The reissue/regenerate SSL keys are as follows.
- Login your account.
- Click on order number to open order details.
- Click on SSL reissue SSL button.
- Follow next steps to reissue SSL.
For re-issuance or regenerate SSL key, you should consult your SSL certificate provider.
Install new SSL keys on server
Check your website for Heartbleed bug after installing the new SSL keys.