Hi all there: which are the actions we have to take in our ispconfig 3 server in order to avoid that problem? More info: http://heartbleed.com/
Revoke / Reissue? Do any previously generated SSL certs need to be recreated after openssl is patched?
If you want to be absolutely sure, then you will have to recreate them. The problem is as follows: The ssl certs of the old version are technically fine. But you can not know if someone already used the vulnerability to get the key of a ssl cert on your server. If someone was able get the key, then your ssl cert is insecure as this person will be able to decode all SSL sessions that are secured with this cert. According to the well known german IT magazine C'T (heise.de article in german), openssh is not affected by the issue as openssh uses openssl library internally, but not the vulnerable function. So if this article is right, certs that are used for openssh only do not have to be replaced.
and if the link dossent work ? http://www.howtoforge.com/find_out_if_server_is_affected_from_openssl_heartbleed_vulnerability_cve-2014-0160_and_how_to_fix i run ubuntu 13.04 Server amd64 and ispconfig 3 i have installed openssl true these commands Code: curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd openssl-1.0.1g && sudo ./config && sudo make && sudo make install But if i do dpkg -l | grep openssl i get [openssl 1.0.1c-4ubuntu8.2 amd64] Code: XX@XX:~# dpkg -l | grep openssl ii libcrypt-openssl-bignum-perl 0.04-3 amd64 Access OpenSSL multiprecision integer arithmetic libraries ii libcrypt-openssl-rsa-perl 0.28-1 amd64 module for RSA encryption using OpenSSL ii libcurl4-openssl-dev 7.29.0-1ubuntu3.4 amd64 development files and documentation for libcurl (OpenSSL flavour) ii libgnutls-openssl27:amd64 2.12.23-1ubuntu1.1 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1c-4ubuntu8.2 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools but if i do [openssl version -a] Code: openssl version -a OpenSSL 1.0.1g 7 Apr 2014 built on: Tue Apr 8 17:32:14 CEST 2014 platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/local/ssl" and it still shows i am vulnerable Code: ext 65281 (renegotiation info, length=1) ext 00035 (session ticket, length=0) ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. How to fix this i have restarted the sever twice
Ok, ssh is safe....but if i would be paranoic i must re-create cert for: 1) Ispconfig (certainly) 2) Ftp 3) Mail server or also in this case is unnecessary ?
Heartbleed info for Centos users There's some confusion as openssl 1.0.1e in centos has been fixed: The only thing you have to do is: yum update It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled. To verify the update, check the changelog: # rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160 you should see the following: * Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Issue with ispconfig nor running latest version of Apache prevents update In trying to stop the heartbleed vulnerability I tried a distrubution update. However, ispconfig will not run under the latest apache so I am stuck, what are others doing who are running ubuntu 13.04 which is the perfect server image currently posted? That dist is no longer supported and if you upgrade you get Apache 2.4 and no joy. Herb
After you installed the distribution upgrade, install ispconfig 3.0.5.4 RC1 from here: http://www.ispconfig.org/blog/1/entry-125-ispconfig-3054-rc1-released/ This version has apache 2.4 support and there were no major issues found in the RC, so I think its ok to use it on a production server.
yes. If you want to be 100% sure, then relace all ssl certs for services that use TLS, as the bug is in the functions that were used for tls secured connections.
I dont think that your manual installation will work as you replace openssl but not all software that is linked against it will use your manually compiled version. If your Ubuntu version is not supported anymore with updates, then you should consider to do a dist upgrade to a supported version.
Are there any step by step instructions how to recycle the Certificates on Debian wheezy Ispconfig installed from Perfect Server? Thanks!
To re-create ispconfig ssl cert Code: cd /usr/local/ispconfig/interface/ssl/ mkdir oldcert mv ispserver.* oldcert/ openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout ispserver.key -out ispserver.csr openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt chown ispconfig:ispconfig ispserver.* chmod 750 ispserver.* /etc/init.d/apache2 restart To re-create pure-ftpd cert Code: cd /etc/ssl/private/ mv pure-ftpd.pem pure-ftpd.pem.old openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem chmod 600 /etc/ssl/private/pure-ftpd.pem /etc/init.d/pure-ftpd-mysql restart To re-create postfix and dovecot cert Code: cd /etc/postfix/ mv smtpd.cert smtpd.cert.old mv smtpd.key smtpd.key.old openssl genrsa -out smtpd.key 2048 openssl req -new -x509 -key smtpd.key -out smtpd.cert -days 3650 chmod 640 smtpd.key /etc/init.d/postfix restart /etc/init.d/dovecot restart
To re-create ispconfig ssl cert for my installation was necessary to re-issue a *.crt as follow Code: cd /usr/local/ispconfig/interface/ssl/ mkdir oldcert mv ispserver.* oldcert/ openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout ispserver.key -out ispserver.csr ### openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt ### chown ispconfig:ispconfig ispserver.* chmod 750 ispserver.* /etc/init.d/apache2 restart Hope this help. Thanks.
Thanks for the instructions. I noticed that in /usr/local/ispconfig/interface/ssl before the reissue of the certificates there was a 4th file ispserver.key.secure (now in oldcert diretory) After following your instructions this file was not recreated in the new files. Did I do something wrong or is this file no longer needed? Thanks!
I think that on normal ispconfig configuration it's no needed...this is the crypted version of private key, but after creation ispconfig use the decrypted version. You can see the creation process of ispconfig on the make_ispconfig_ssl_cert function of installer PHP: public function make_ispconfig_ssl_cert() { global $conf; $install_dir = $conf['ispconfig_install_dir']; $ssl_crt_file = $install_dir.'/interface/ssl/ispserver.crt'; $ssl_csr_file = $install_dir.'/interface/ssl/ispserver.csr'; $ssl_key_file = $install_dir.'/interface/ssl/ispserver.key'; if(!@is_dir($install_dir.'/interface/ssl')) mkdir($install_dir.'/interface/ssl', 0755, true); $ssl_pw = substr(md5(mt_rand()),0,6); exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096"); exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file"); exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650"); exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); rename($ssl_key_file,$ssl_key_file.'.secure'); rename($ssl_key_file.'.insecure',$ssl_key_file); }
