Sam Trenholme's webpage
Support this website or listen to my music

The “Heartbleed” bug

 

April 12 2014

I briefly discuss the “Heartbleed” bug, and why my https certificate key has changed.

This bug has been getting a lot of press, even making the front page of the BBC.

==My experience==

Five days ago, one of my hosting providers tweeted that there was a nasty bug in OpenSSL, which hardly surprised me considering OpenSSL's security history.

The heartbleed bug is not that severe of a bug (5.0); indeed, MaraDNS’ most recent CVE report was a more severe bug (6.4).

==The fix==

The bug was very easy to fix:

yum -y update
service nginx restart

It was yet another routine update, in the scheme of things.

==Making a new server key==

For those who wish to be extra-careful, here is how to make a new self-signed server key:

openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key \
 -out server.crt

==Hardening nginx==

While I was at it, I also hardened OpenSSL on nginx to only use secure ciphers, as per Hynek Schlawack's instructions, by adding these lines to my nginx.conf file:

ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
 ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:
 RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

The last three lines above are actually one long line in my nginx.conf.

I also made sure root owns my server.key and server.crt files, and that they are only readable by root:

chown root:root server.key server.crt
chmod 600 server.key server.crt

As an aside, I use my own fork of nginx 1.2 with all CVE security patches applied.

==Still supported by CentOS==

While OpenSSL does not have the best security, it is a package that is included with CentOS 6 and, hence, will be supported with security updates until 2020.

To post a comment about this blog entry, go to the forum (self-signed https). New accounts may post once I approve the account.

Previous entry Next entry Blog index