Heartbleed OpenSSL bug fix on Debian Wheezy

heartbleedFollowing the Debian Security Advisory DSA-2896-1 openssl — security update, a good practice would be to check wether your server is affected by the OpenSSL  Heartbleed security bug or not.

If you find your server affected by the bug, here are some few steps to  fix the problem on Debian Wheezy (but with slight changes you can use with other distros too).

As root:

aptitude update
aptitude upgrade libssl1.0.0
aptitude upgrade openssl

As you reboot you Apache or SSH servers, you will notice that  the bug is fixed, but the problem is still here, you private keys may be compromised, so it’s time to generate new secrets.

Apache

Let’s generate a new private key. First, let’s move to the ssl private keys directory:

cd /etc/ssl/private

Let’s issue:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

So now we have a new private key and a csr  (certificate signing  request).

Time to strip the password from the private key:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

And now, we self sign the certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Have a look at your new certificate:

openssl x509 -in server.crt -text | less

Now let’s make everything readable just by root user, remember that we stripped the password from private key:

chmod o-r server*

Finally let’s copy the new public certificate to the right directory:

cp server.crt ../certs/

Do not forget to modify, if needed, the  entry for certificate  files in Apache conf :

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Now, restart Apache:

service apache2 restart

 

SSHD

For OpenSSH it’s way easier. First, we remove the old host keys:

rm /etc/ssh/ssh_host_*

Now  we reconfigure openssh-server package to generate new keys:

dpkg-reconfigure openssh-server

Finally, if dpkg-reconfigure did not, we restart SSH

service ssh restart