Heartbleed OpenSSL bug fix on Debian Wheezy
Following the Debian Security Advisory DSA-2896-1 openssl — security update, a good practice would be to check wether your server is affected by the OpenSSL Heartbleed security bug or not.
If you find your server affected by the bug, here are some few steps to fix the problem on Debian Wheezy (but with slight changes you can use with other distros too).
As root:
aptitude update aptitude upgrade libssl1.0.0 aptitude upgrade openssl
As you reboot you Apache or SSH servers, you will notice that the bug is fixed, but the problem is still here, you private keys may be compromised, so it’s time to generate new secrets.
Apache
Let’s generate a new private key. First, let’s move to the ssl private keys directory:
cd /etc/ssl/private
Let’s issue:
openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr
So now we have a new private key and a csr (certificate signing request).
Time to strip the password from the private key:
cp server.key server.key.org openssl rsa -in server.key.org -out server.key
And now, we self sign the certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Have a look at your new certificate:
openssl x509 -in server.crt -text | less
Now let’s make everything readable just by root user, remember that we stripped the password from private key:
chmod o-r server*
Finally let’s copy the new public certificate to the right directory:
cp server.crt ../certs/
Do not forget to modify, if needed, the entry for certificate files in Apache conf :
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key
Now, restart Apache:
service apache2 restart
SSHD
For OpenSSH it’s way easier. First, we remove the old host keys:
rm /etc/ssh/ssh_host_*
Now we reconfigure openssh-server package to generate new keys:
dpkg-reconfigure openssh-server
Finally, if dpkg-reconfigure did not, we restart SSH
service ssh restart