Heartbleed vulnerability

Discussion in 'Installation/Configuration' started by cubells, Apr 8, 2014.

  1. cubells

    cubells Member HowtoForge Supporter

    Hi all there:

    which are the actions we have to take in our ispconfig 3 server in order to avoid that problem?

    More info: http://heartbleed.com/
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. susansmistake

    susansmistake New Member

    Revoke / Reissue?

    Do any previously generated SSL certs need to be recreated after openssl is patched?
  4. edge

    edge Active Member Moderator

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to be absolutely sure, then you will have to recreate them.

    The problem is as follows:

    The ssl certs of the old version are technically fine. But you can not know if someone already used the vulnerability to get the key of a ssl cert on your server. If someone was able get the key, then your ssl cert is insecure as this person will be able to decode all SSL sessions that are secured with this cert.

    According to the well known german IT magazine C'T (heise.de article in german), openssh is not affected by the issue as openssh uses openssl library internally, but not the vulnerable function. So if this article is right, certs that are used for openssh only do not have to be replaced.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I will add a link t this thread in the article.
  7. sijmenNL

    sijmenNL New Member

    and if the link dossent work ?


    i run ubuntu 13.04 Server amd64 and ispconfig 3

    i have installed openssl true these commands
    curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd openssl-1.0.1g && sudo ./config && sudo make && sudo make install
    But if i do dpkg -l | grep openssl i get [openssl 1.0.1c-4ubuntu8.2 amd64]

    XX@XX:~# dpkg -l | grep openssl
    ii  libcrypt-openssl-bignum-perl       0.04-3                                 amd64        Access OpenSSL multiprecision integer arithmetic libraries
    ii  libcrypt-openssl-rsa-perl          0.28-1                                 amd64        module for RSA encryption using OpenSSL
    ii  libcurl4-openssl-dev               7.29.0-1ubuntu3.4                      amd64        development files and documentation for libcurl (OpenSSL flavour)
    ii  libgnutls-openssl27:amd64          2.12.23-1ubuntu1.1                     amd64        GNU TLS library - OpenSSL wrapper
    ii  openssl                            1.0.1c-4ubuntu8.2                      amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
    but if i do [openssl version -a]

    openssl version -a
    OpenSSL 1.0.1g 7 Apr 2014
    built on: Tue Apr  8 17:32:14 CEST 2014
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
    OPENSSLDIR: "/usr/local/ssl"
    and it still shows i am vulnerable

    ext 65281 (renegotiation info, length=1)
    ext 00035 (session ticket, length=0)
    ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. 
    How to fix this i have restarted the sever twice
    Last edited: Apr 9, 2014
  8. Stoned

    Stoned New Member

    Ok, ssh is safe....but if i would be paranoic i must re-create cert for:
    1) Ispconfig (certainly)
    2) Ftp
    3) Mail server
    or also in this case is unnecessary ?
  9. PermaNoob

    PermaNoob Member

    Heartbleed info for Centos users

    There's some confusion as openssl 1.0.1e in centos has been fixed:

    The only thing you have to do is: yum update

    It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled.

    To verify the update, check the changelog:

    # rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

    you should see the following:

    * Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
  10. lanexllc

    lanexllc New Member

    Issue with ispconfig nor running latest version of Apache prevents update

    In trying to stop the heartbleed vulnerability I tried a distrubution update. However, ispconfig will not run under the latest apache so I am stuck, what are others doing who are running ubuntu 13.04 which is the perfect server image currently posted? That dist is no longer supported and if you upgrade you get Apache 2.4 and no joy.

    Last edited: Apr 10, 2014
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    After you installed the distribution upgrade, install ispconfig RC1 from here: http://www.ispconfig.org/blog/1/entry-125-ispconfig-3054-rc1-released/

    This version has apache 2.4 support and there were no major issues found in the RC, so I think its ok to use it on a production server.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    yes. If you want to be 100% sure, then relace all ssl certs for services that use TLS, as the bug is in the functions that were used for tls secured connections.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont think that your manual installation will work as you replace openssl but not all software that is linked against it will use your manually compiled version. If your Ubuntu version is not supported anymore with updates, then you should consider to do a dist upgrade to a supported version.
  14. tomnhanni

    tomnhanni New Member

    Are there any step by step instructions how to recycle the Certificates on Debian wheezy Ispconfig installed from Perfect Server?

  15. Honza

    Honza Member

    I would greatly appreciate this too.
  16. Stoned

    Stoned New Member

    To re-create ispconfig ssl cert

    cd /usr/local/ispconfig/interface/ssl/
    mkdir oldcert
    mv ispserver.* oldcert/
    openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout ispserver.key -out ispserver.csr
    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt
    chown ispconfig:ispconfig ispserver.*
    chmod 750 ispserver.*
    /etc/init.d/apache2 restart
    To re-create pure-ftpd cert

    cd /etc/ssl/private/
    mv pure-ftpd.pem pure-ftpd.pem.old
    openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    /etc/init.d/pure-ftpd-mysql restart
    To re-create postfix and dovecot cert

    cd /etc/postfix/
    mv smtpd.cert smtpd.cert.old
    mv smtpd.key smtpd.key.old
    openssl genrsa -out smtpd.key 2048
    openssl req -new -x509 -key smtpd.key -out smtpd.cert -days 3650
    chmod 640 smtpd.key
    /etc/init.d/postfix restart
    /etc/init.d/dovecot restart
    Last edited: Apr 14, 2014
  17. maxit

    maxit New Member

    To re-create ispconfig ssl cert
    for my installation was necessary to re-issue a *.crt as follow
    cd /usr/local/ispconfig/interface/ssl/
    mkdir oldcert
    mv ispserver.* oldcert/
    openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout ispserver.key -out 
    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt 
    chown ispconfig:ispconfig ispserver.*
    chmod 750 ispserver.*
    /etc/init.d/apache2 restart
    Hope this help.
  18. Stoned

    Stoned New Member

    Yes, you are right: i skipped a line by mistake when i write the post! ;)
    I correct also my post
  19. tomnhanni

    tomnhanni New Member

    Thanks for the instructions.

    I noticed that in /usr/local/ispconfig/interface/ssl before the reissue of the certificates there was a 4th file ispserver.key.secure (now in oldcert diretory)
    After following your instructions this file was not recreated in the new files. Did I do something wrong or is this file no longer needed?
  20. Stoned

    Stoned New Member

    I think that on normal ispconfig configuration it's no needed...this is the crypted version of private key, but after creation ispconfig use the decrypted version.
    You can see the creation process of ispconfig on the make_ispconfig_ssl_cert function of installer

        public function make_ispconfig_ssl_cert() {

    $install_dir $conf['ispconfig_install_dir'];

    $ssl_crt_file $install_dir.'/interface/ssl/ispserver.crt';
    $ssl_csr_file $install_dir.'/interface/ssl/ispserver.csr';
    $ssl_key_file $install_dir.'/interface/ssl/ispserver.key';

    is_dir($install_dir.'/interface/ssl')) mkdir($install_dir.'/interface/ssl'0755true);

    $ssl_pw substr(md5(mt_rand()),0,6);
    exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");
    exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file");
    exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650");
    exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");


Share This Page