OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
Mara, can you give me the click by click, ignorant DFU, idiot guide on how to do this. Assume I am sitting at my computer logged into WHM, staring at the screen and trying to figure out what to click and in what order. I don't want to assume even the simple stuff right now. These pain killers are pretty good! :)

PS include the steps to keep a record of the old serial number etc please...
I just finished my taxes. I think you should share your pain killers with me. :)

OK, here we go. This worked for me, YMMV, and all other standard disclaimers.

1. WHM -> SSL/TLS -> SSL Storage Manager.

2. Find the cert you want to replace, click the little magnifying glass. that will show "Resource Information", or the details of the cert.

3. In the second text box you'll see "Detailed Information." Right after the validity dates is the serial number:
Code:
Validity
            Not Before: Apr  9 15:35:45 2014 GMT
            Not After : Nov  1 13:18:19 2016 GMT
        Subject: serialNumber = oU1IU2HodzjQ5P5AjXXXXXX  <--- this number
Copy that number and save it.

4. Assuming you already have the new CSR and key created (going by what you posted above), as well as the new cert, then go ahead and remove the old one(s) by clicking the red circle with the "X" in the center. Make sure you delete the old ones, and not the newly created ones. If you accidentally mess that up, it's no big deal, you can always have the cert reissued again. I had to do the shared server cert twice, because the first time I accidentally chose SHA-1 hashing instead of SHA-2.

5. still in the WHM -> SSL/TLS section, go to Install an SSL Certificate on a Domain.

6. Fill in the "Domain" just as it is on the certificate.

7. Find the IP if needed (depends on if this is a cert for the hostname, a user's account, etc).

8. Don't use auto-discover, paste the new cert into the box. Paste the new key (or verify that the NEW key is showing if WHM finds a key on the server...never assume it found the correct one, always verify it is in fact the correct one).

9. I normally let WHM find the CAB. So all that's left is to click the shiny install button, and you're done. :)

I forgot to add, if the cert is for the server's hostname/shared hosting/services, don't forget to go to Service Configuration -> Manage Service SSL Certificates and "install" the cert for use by the services. This is SUPER easy now with the latest cPanel version.

Go to "Browse certificates", find yours, click the checkboxes by all the services (cPanel, FTP, Exim, Dovecot), then another shiny "install" button at the bottom.
 
Last edited:

h4ni

Member
Feb 7, 2011
10
0
51
Hello
After i upgrade openssl, and restart services, when I go to filippo.io/Heartbleed/ site, i get : Uh-oh, something went wrong: tls: oversized record received with length 20291

Does any one have an idea?
 

upsforum

Well-Known Member
Jul 27, 2005
474
0
166

h4ni

Member
Feb 7, 2011
10
0
51
Hello
After i upgrade openssl, and restart services, when I go to filippo.io/Heartbleed/ site, i get : Uh-oh, something went wrong: tls: oversized record received with length 20291

Does any one have an idea?
I have

* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
I have heard of some false positives from the filippo.io checker. If you get an error there, and if you're sure you've followed all steps (including restarting all services that use SSL, or rebooting your server), then try the checker from SSLLabs:

https://www.ssllabs.com/ssltest/
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
We did all this, yet when we go to Test your server for Heartbleed (CVE-2014-0160) and run a test it still says we are vulnerable? Am I missing somethign.

Here is the output:

rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


nevermind...restarted all the services again and it worked.
 
Last edited:

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator

upsforum

Well-Known Member
Jul 27, 2005
474
0
166
Re: Heartbleed Bug and openssl old versions

I tried with geotrust and ssllabs but same result, the server is vulnerable:

-------------------------------
geotrust result:
OpenSSL Heartbleed vulnerability assessment
Your server is vulnerable to Heartbleed attack.

ssllabs result:
This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental)
---------------------------

I have a vps with these specs

CENTOS 5.10 x86_64 vmware
WHM 11.42.1

[email protected] [~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

[email protected] [~]# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
[email protected] [~]#

official guides say that this openssl version not is vulnerable but if I use this tool Test your server for Heartbleed (CVE-2014-0160) the result is that any sites on my vps are vulnerable
 

taeseer

Registered
Dec 4, 2012
1
0
1
cPanel Access Level
Root Administrator
I tried to upgrade OpenSSL, and installed successfully however when I check its version

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013 (Not updaded to 1.0.1g)

When I check from file

cat /usr/local/ssl/lib/pkgconfig/openssl.pc
prefix=/usr/local/ssl
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${prefix}/include

Name: OpenSSL
Description: Secure Sockets Layer and cryptography libraries and tools
Version: 1.0.1g
Requires:
Libs: -L${libdir} -lssl -lcrypto
Libs.private: -ldl
Cflags: -I${includedir}

This file show updated new version 1.0.1g.

Should I assume server is upgraded to new version or need any thing more?

Taeseer.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
As stated before this issue does not affect OpenSSL 0.9.8e as shipped with CentOS 5

https://access.redhat.com/security/cve/CVE-2014-0160

This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.4 and earlier, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e. Errata have been released to correct this issue.
 

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
Hello,

I have a managed VPS running CENTOS 6.5 x86_64 virtuozzo with WHM 11.42.1 (build 5).

I've carried out the steps as advised by Michael in post 18. But after testing the server using filippo.io/Heartbleed and getting the message "tls: oversized record received with length 20291" I noticed I'd missed - checking the SSL certificates in the Manage SSL Hosts interface of WHM.

However, when I navigate to SSL/TLS » Manage SSL Hosts, it shows the following -

There are no secure sites configured on your server!
Do I need to do something about this and generate self-signed certificates? I have two IP addresses. My primary, which WHM is installed on is a shared IP with other domains, plus I have another domain on a dedicated IP address.

My understanding is that SSL can only be installed on dedicated IP addresses? Maybe I have missunderstood that?

I'd appreciate some advice on what I need to do, if anything.

Many thanks,

Myles
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Do I need to do something about this and generate self-signed certificates? I have two IP addresses. My primary, which WHM is installed on is a shared IP with other domains, plus I have another domain on a dedicated IP address.

My understanding is that SSL can only be installed on dedicated IP addresses? Maybe I have missunderstood that?
1. You would only need to consider regenerating certificates that were already installed/generated prior to when your system was patched. If no certificates were installed/previously generated, then it's not required. Remember to reset the service certificates in "WHM Home » Service Configuration » Manage Service SSL Certificates".

2. A dedicated IP address is not required for SSL certificates. Your system can utilize SNI and install multiple certificates on a single IP assuming you are using CentOS/Redhat 6+.

Thank you.
 

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
1. You would only need to consider regenerating certificates that were already installed/generated prior to when your system was patched. If no certificates were installed/previously generated, then it's not required. Remember to reset the service certificates in "WHM Home » Service Configuration » Manage Service SSL Certificates".

2. A dedicated IP address is not required for SSL certificates. Your system can utilize SNI and install multiple certificates on a single IP assuming you are using CentOS/Redhat 6+.

Thank you.
OK thanks. I reset all the service cetificates, so I guess everything is good again. :)
 

nathonjones

Registered
Apr 22, 2014
1
0
1
cPanel Access Level
Root Administrator
OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me!

Our host, Heart Internet, recently e-mailed us to inform us that their systems were vulnerable to the Heartbleed issue. We have a VPS with them running CentOS6 and an SSL certificate installed.

Heart Internet won't, however, support us in fixing the issue suggesting, rather, that "if we don't know how to do it then maybe you should read a guide". :confused:

I am completely new to VPS management and this has worried the life out of me because I can't seem to get things updated.

I worked out that I needed to use "Putty" to access the server using "shell"? (stop laughing!) and we entered the following, as recommended by Heart Internet:
openssl version

We are shown:
OpenSSL 1.0.1e-fips 11 Feb 2013

We have run through almost all of the update advice posted here:
security - How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source? - Stack Overflow

..but despite it, we are still shown "OpenSSL 1.0.1e-fips 11 Feb 2013" in shell when we run "openssl version".

So, we tried this, following advice in forums:

To verify the update simply check the changelog:
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
you should see the following:
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

...which we do!

If we go to the following test site we are also told that our server is ok:
https://filippo.io/Heartbleed/

Heart Internet are refusing to accept this because running "openssl version" always returns "OpenSSL 1.0.1e-fips 11 Feb 2013".

I've read that I need to restart services after we run the update. Can someone tell me, in basic terms, what I need to update / reboot and how I go about that? I've rebooted the server from the VPS control panel that Heart Internet provide but that doesn't resolve anything.

Would appreciate your advice and assistance.
Thank you
NJ
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Re: OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me!

Heart Internet are refusing to accept this because running "openssl version" always returns "OpenSSL 1.0.1e-fips 11 Feb 2013"
Could you have them review the the blog post here so they are familiar with how to determine if a system is affected by the issue?

Thanks.
 

sreeninair

Well-Known Member
Dec 23, 2013
100
0
16
cPanel Access Level
Root Administrator
Openssl : heart bleed upgrade

Hello Guys,

I am unable to upgrade openssl in my server. Please see the logs below.


===============
yum update openssl
Loaded plugins: fastestmirror, refresh-updatesd, rhnplugin
Loading mirror speeds from cached hostfile
* cloudlinux-x86_64-server-5: xmlrpc.cln.cloudlinux.com
* epel: mirror.es.its.nyu.edu
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update
[email protected] [/usr/src/openssl-1.0.1g/crypto]# yum update
Loaded plugins: fastestmirror, refresh-updatesd, rhnplugin
Loading mirror speeds from cached hostfile
* cloudlinux-x86_64-server-5: xmlrpc.cln.cloudlinux.com
* epel: mirror.es.its.nyu.edu
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update

===============
# rpm -qa |grep openssl
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
================
# openssl version -a
-bash: openssl: command not found
================

tried to install lates version from source. make throws following error.



-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o cryptlib.o cryptlib.c
<built-in>:0: internal compiler error: in builtin_function, at c-decl.c:2846
Please submit a full bug report,
with preprocessed source if appropriate.
See <URL:http://bugzilla.redhat.com/bugzilla> for instructions.
make[1]: *** [cryptlib.o] Error 1
make[1]: Leaving directory `/usr/src/openssl-1.0.1g/crypto'
make: *** [build_crypto] Error 1


==========================
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Re: Openssl : heart bleed upgrade

I am unable to upgrade openssl in my server. Please see the logs below.
RHEL/CentOS 5 servers (this would extend to Cloud Linux 5), which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability.

This is from the following blog post:

Heartbleed Vulnerability Information | cPanel, Inc.

Thanks.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Re: OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me!

So, we tried this, following advice in forums:

To verify the update simply check the changelog:
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
you should see the following:
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

...which we do!

If we go to the following test site we are also told that our server is ok:
https://filippo.io/Heartbleed/

Heart Internet are refusing to accept this because running "openssl version" always returns "OpenSSL 1.0.1e-fips 11 Feb 2013".

I've read that I need to restart services after we run the update. Can someone tell me, in basic terms, what I need to update / reboot and how I go about that? I've rebooted the server from the VPS control panel that Heart Internet provide but that doesn't resolve anything.

Would appreciate your advice and assistance.
Thank you
NJ
If you see that changelog and have rebooted then you are fine. CentOS / RHEL often "backports" software, meaning you see a version that looks the same, but it has patches added to it.

If the https://filippo.io/Heartbleed/ says you're OK, your change log contains the correct CVE indicating the backport, and you've rebooted, then you are fine. I don't care what your host says, you've done what you need to (aside from possibly re-issuing and re-installing your certificate(s))