This bug has been getting a lot of press, even making the front page of the BBC.
Five days ago, one of my hosting providers tweeted that there was a nasty bug in OpenSSL, which hardly surprised me considering OpenSSL's security history.
The heartbleed bug is not that severe of a bug (5.0); indeed, MaraDNS’ most recent CVE report was a more severe bug (6.4).
The bug was very easy to fix:
yum -y update
service nginx restart
It was yet another routine update, in the scheme of things.
For those who wish to be extra-careful, here is how to make a new self-signed server key:
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key \
-out server.crt
While I was at it, I also hardened OpenSSL on nginx to only use secure ciphers, as per Hynek Schlawack's instructions, by adding these lines to my nginx.conf file:
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:
RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
The last three lines above are actually one long line in my nginx.conf.
I also made sure root owns my server.key and server.crt files, and that they are only readable by root:
chown root:root server.key server.crt
chmod 600 server.key server.crt
As an aside, I use my own fork of nginx 1.2 with all CVE security patches applied.
While OpenSSL does not have the best security, it is a package that is included with CentOS 6 and, hence, will be supported with security updates until 2020.
To post a comment about this blog entry, go to the forum (self-signed https). New accounts may post once I approve the account.