{"id":1541,"date":"2014-04-09T08:49:09","date_gmt":"2014-04-09T07:49:09","guid":{"rendered":"http:\/\/www.zarrelli.org\/blog\/?p=1541"},"modified":"2014-04-09T12:24:16","modified_gmt":"2014-04-09T11:24:16","slug":"heartbeat-bug-fix-on-debian-wheezy","status":"publish","type":"post","link":"https:\/\/www.zarrelli.org\/blog\/heartbeat-bug-fix-on-debian-wheezy\/","title":{"rendered":"Heartbleed OpenSSL bug fix on Debian Wheezy"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-1553\" title=\"Heartbleed  Openssl\" alt=\"heartbleed\" src=\"https:\/\/www.zarrelli.org\/blog\/wp-content\/uploads\/2014\/04\/heartbleed.png\" width=\"341\" height=\"413\" srcset=\"https:\/\/www.zarrelli.org\/blog\/wp-content\/uploads\/2014\/04\/heartbleed.png 341w, https:\/\/www.zarrelli.org\/blog\/wp-content\/uploads\/2014\/04\/heartbleed-247x300.png 247w\" sizes=\"auto, (max-width: 341px) 100vw, 341px\" \/>Following the <a title=\"Debian Security Advisory  DSA-2896-1 openssl -- security update\" href=\"https:\/\/www.debian.org\/security\/2014\/dsa-2896\" target=\"_blank\">Debian Security Advisory DSA-2896-1 openssl &#8212; security update<\/a>, a good practice would be to <a title=\"Heartbleed test\" href=\"http:\/\/filippo.io\/Heartbleed\/\" target=\"_blank\">check<\/a> wether your server is affected by the OpenSSL \u00a0<a href=\"https:\/\/heartbleed.com\/\" target=\"_blank\">Heartbleed<\/a> security bug or not.<\/p>\n<p>If you find your server affected by the bug, here are some few steps to \u00a0fix the problem on Debian Wheezy (but with slight changes you can use with other distros too).<\/p>\n<p>As root:<\/p>\n<pre class=\"lang:sh decode:true\">aptitude update\r\naptitude upgrade libssl1.0.0\r\naptitude upgrade openssl<\/pre>\n<p>As you reboot you Apache or SSH servers, you will notice that \u00a0the bug is fixed, but the problem is still here, you private keys may be compromised, so it&#8217;s time to generate new secrets.<\/p>\n<p><strong>Apache<\/strong><\/p>\n<p>Let&#8217;s generate a new private key. First, let&#8217;s move to the ssl private keys directory:<\/p>\n<pre class=\"lang:sh decode:true\">cd \/etc\/ssl\/private<\/pre>\n<p>Let&#8217;s issue:<\/p>\n<pre class=\"lang:sh decode:true\">openssl genrsa -des3 -out server.key 1024\r\nopenssl req -new -key server.key -out server.csr<\/pre>\n<p>So now we have a new private key and a csr \u00a0(certificate signing \u00a0request).<\/p>\n<p>Time to strip the password from the private key:<\/p>\n<pre class=\"lang:sh decode:true\">cp server.key server.key.org\r\nopenssl rsa -in server.key.org -out server.key<\/pre>\n<p>And now, we self sign the certificate:<\/p>\n<pre class=\"lang:sh decode:true\">openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt<\/pre>\n<p>Have a look at your new certificate:<\/p>\n<pre class=\"lang:sh decode:true\">openssl x509 -in server.crt -text | less<\/pre>\n<p>Now let&#8217;s make everything readable just by root user, remember that we stripped the password from private key:<\/p>\n<pre class=\"lang:sh decode:true\">chmod o-r server*<\/pre>\n<p>Finally let&#8217;s copy the new public certificate to the right directory:<\/p>\n<pre class=\"lang:sh decode:true\">cp server.crt ..\/certs\/<\/pre>\n<p>Do not forget to modify, if needed, the \u00a0entry for certificate \u00a0files in Apache conf :<\/p>\n<pre class=\"lang:sh decode:true\">SSLCertificateFile \/etc\/ssl\/certs\/server.crt\r\nSSLCertificateKeyFile \/etc\/ssl\/private\/server.key<\/pre>\n<p>Now, restart Apache:<\/p>\n<pre class=\"lang:sh decode:true\">service apache2 restart<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>SSHD<\/strong><\/p>\n<p>For OpenSSH it&#8217;s way easier. First, we remove the old host keys:<\/p>\n<pre class=\"lang:sh decode:true\">rm \/etc\/ssh\/ssh_host_*<\/pre>\n<p>Now \u00a0we reconfigure openssh-server package to generate new keys:<\/p>\n<pre class=\"lang:sh decode:true\">dpkg-reconfigure openssh-server<\/pre>\n<p>Finally, if dpkg-reconfigure did not, we restart SSH<\/p>\n<pre class=\"lang:sh decode:true\">service ssh restart<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Following the Debian Security Advisory DSA-2896-1 openssl &#8212; security update, a good practice would be to check wether your server is affected by the OpenSSL \u00a0Heartbleed security bug or not. If you find your server affected by the bug, here are some few steps to \u00a0fix the problem on Debian Wheezy (but with slight changes &hellip;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,31,57,62],"tags":[98,385,437,435,436,438],"class_list":["post-1541","post","type-post","status-publish","format-standard","hentry","category-debian","category-gnulinux","category-sicurezza","category-sysadmin","tag-bug","tag-debian-2","tag-fix","tag-heartbleed","tag-openssl","tag-wheezy","without-featured-image"],"_links":{"self":[{"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/posts\/1541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/comments?post=1541"}],"version-history":[{"count":0,"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/posts\/1541\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/media?parent=1541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/categories?post=1541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zarrelli.org\/blog\/wp-json\/wp\/v2\/tags?post=1541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}