OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

subwoofer12

Registered
Apr 9, 2014
1
0
1
cPanel Access Level
Website Owner
Upgrading OpenSSL

Is there a way to update OpenSSL within WHM? I have version 1.0.1e which means I'm affected by Heartbleed. I want to upgrade to 1.0.1g.
 

netbuilder

Registered
Apr 9, 2014
1
0
1
cPanel Access Level
Root Administrator
I have install the latest openssl version 1.0.1g on server. But the apache still show old version of openssl after stop/start apache (refer screenshot). Anyone know how to resolve? If using EasyApache to recompile apache, will it cause openssl version revert back to default version 0.9.8e which is much more older.

Apache-Openssl.png


:/>ssh -V
OpenSSH_6.4p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

:/>openssl version
OpenSSL 1.0.1g 7 Apr 2014
Thank you.
 

craigedmonds

Well-Known Member
Oct 29, 2007
115
1
68
Europe
cPanel Access Level
Root Administrator
Twitter
I have run the following command:
rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
It gives me this:
[[email protected] ~]# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
So I assume that my openssl is patched and fixed.

However, when I go to filippo.io/Heartbleed/ site, it still says that the site/server is vulnerable.

Also if I use this chrome plugin its saying all my sites "could be" vulnerable: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic/details

Of course a couple of clients are pointing this out to me now, so dont really know what to tell them.

Any ideas?
 
Last edited:

craigedmonds

Well-Known Member
Oct 29, 2007
115
1
68
Europe
cPanel Access Level
Root Administrator
Twitter
Did you reboot the server, or restart all services that use SSL (httpd, exim, dovecot, etc)? It's been repeated several times in this thread you need to restart all services.
Restarting services did not work.

Full reboot seems to do the trick.

Not fun rebooting 20 servers!
 

clarion

Registered
Apr 10, 2014
1
0
1
cPanel Access Level
Root Administrator
I have run the following command:

It gives me this:

So I assume that my openssl is patched and fixed.

However, when I go to filippo.io/Heartbleed/ site, it still says that the site/server is vulnerable.

Also if I use this chrome plugin its saying all my sites "could be" vulnerable: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic/details

Of course a couple of clients are pointing this out to me now, so dont really know what to tell them.

Any ideas?
Craig, I had the exact same as you -- scratching my head about it. Then I just ran easyapache to recompile apache and PHP and this sorted it out. Now I am getting all good reports from the filippo.io/Heartbleed/ site
 

serkanhamarat

Registered
Apr 10, 2014
1
0
1
cPanel Access Level
Root Administrator
I updated a CentOs 6.5 than OpenSSL version is correct. Also the package changelog describes heartbeat fix.
But, when I go to: WHM -> Server Status -> Apache Status , I saw this:
Server Version: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips DAV/2 SVN/1.7.8 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.6
It still writes OpenSSL/1.0.0-fips . What is that?
 

stef

Member
Jun 4, 2005
21
0
151
Belgium
cPanel Access Level
DataCenter Provider
It still writes OpenSSL/1.0.0-fips . What is that?
You need to run EasyApache to compile apache/php against the new installed version of OpenSSL.

--
Oops, seems to be wrong. I thought the header info was generated at compile time (fixed), but seems that info is pulled from the modules (like OpenSSL) at runtime.
So a restart should be fine to have it show the new version, like @OkieDoke says below.
 
Last edited:

OkieDoke

Registered
Dec 30, 2013
1
0
1
cPanel Access Level
Root Administrator
Re: OpenSSL Heartbleed Bug (&lt; 1.0.1g) - Encryption keys at risk

Yes, the output you provided indicates the patch has been applied:



The RPM is patched, so you won't necessarily see a new version. Instead, you will see the CVE listed in the RPM change log.

Thank you.
It is essential that you do
service cpanel restart
though. As I was showing vulnerable with the patched RPM until I restarted all SSL services.

- - - Updated - - -

You need to run EasyApache to compile apache/php against the new installed version of OpenSSL.
This is incorrect. OpenSSL is a seperately compiled package. A simple restart is fine.
As long as your changelog shows something dated in the last couple of days then you're protected.
 

markb14391

Well-Known Member
Jun 9, 2008
305
2
68
@Monsta_AU, thanks!

On DNS Only, I assume I should also regenerate remote access keys (and, of course, update any servers using those DNS servers in a cluster too).
 

Shane_from_UK

Active Member
Sep 14, 2008
35
0
56
The OpenSSL Heartbleed Bug is fixed now but what happen, if my existing domains SSL key hacked before patching the openssl....what need to do to secure the existing certificates as we are using it for payment gateway...
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
We have published an article about the vulnerability here:

Heartbleed Vulnerability Information | cPanel, Inc.

Thank you.
Potentially moronic question on this if I may. Presuming in the worst case that information has been previously obtained due to this issue from a server such that it's SSL traffic can be intercepted and later decrypted, are the WHM interface pages 'safe' to use to generate new keys and certificates with?

i.e. do they show these details / send them back to the browser (over the now potentially insecure link) before the service that is to use them (in the relevant case WHM) is restarted?

Looking at the new interface I'm hoping not but it does look possible to me if the certificate details button is clicked that all certs and keys are loaded into the page within script tags.

If I'm not being moronic, is there an interface / scripts to do this over ssh instead? I'm aware one can just replace the relevant files but I'm thinking of the general use case that isn't going to be happy doing that.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Regarding service restarts, I found that httpd restart did not fix the issue, but a quick httpd stop ; httpd start did. you have to hard restart the services if you don't want to reboot the server.
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
Regarding service restarts, I found that httpd restart did not fix the issue, but a quick httpd stop ; httpd start did. you have to hard restart the services if you don't want to reboot the server.
That's *also* been detailed in this thread. Come on guys, read. It's only a 2 page thread.
 

PCZero

Well-Known Member
Dec 13, 2003
735
92
178
Earth
OK folks it has been a while since I dug into some of this. Combine that with the fact that I just had major knee surgery and I am taking some pretty hefty pain killers you can understand that I am having a little difficulty. I got everything updated I believe.

I got this...

# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

Which I believe means I am current.

Ynder the assumption that all of that is correct, I want to proceed to reissue my certificate. I have followed all of the steps outlined by GeoTrust to get the cert reissued (new CSR, etc) and now have the final email from them with the new data.

This is where I am having a brain fart and the pain killers are kicking in. In WHM 11.42.1 (build 5) hoe do I go about installing the new cert REPLACING the one I have installed already. Whichever is easiest (if even available) I can use either the WHM web interface or make changes shelled as root. If someone can give me the step-by-step drug addled idiots guide to this I would greatly appreciate it. At this point i would need a guide that even lists the "any stupid idiot would know this step" steps.

Thanks!
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
This is where I am having a brain fart and the pain killers are kicking in. In WHM 11.42.1 (build 5) hoe do I go about installing the new cert REPLACING the one I have installed already. Whichever is easiest (if even available) I can use either the WHM web interface or make changes shelled as root. If someone can give me the step-by-step drug addled idiots guide to this I would greatly appreciate it. At this point i would need a guide that even lists the "any stupid idiot would know this step" steps.

Thanks!
IME the best way is to remove the previous cert (including CSR and key), then install the new one. I did/tried it both ways, and without removing the previous old cert, cPanel screws everything up (sorry, cP peeps, but it does). I found the old CSR would be hostname.com 1, where the new key would be hostname.key (without the "1"), yet the old key would suddenly have a 1.

There's no easy way to differentiate the *old* cert from the *new* cert (without opening each up, comparing to the backup...and that's too error prone).

Do definitely keep a record of the serial number of the old cert before you delete it, so GeoTrust can revoke it (you have to email them for this).

HTH, and hope you feel better. :)
 

PCZero

Well-Known Member
Dec 13, 2003
735
92
178
Earth
Mara, can you give me the click by click, ignorant DFU, idiot guide on how to do this. Assume I am sitting at my computer logged into WHM, staring at the screen and trying to figure out what to click and in what order. I don't want to assume even the simple stuff right now. These pain killers are pretty good! :)

PS include the steps to keep a record of the old serial number etc please...