Fix OpenSSL Heartbleed flaw on Debian based system

After my previous post about the overview of OpenSSL Heartbleed flaw, I will now explain how to fix the vulnerability with the simple way that I have found. Please note that this post is only applicable for Debian based system but it can be adapted for other distributions. Before trying to fix your openSSL package, you must be sure that your openSSL package is vulnerable.

Test if your OpenSSL package is vulnerable

The simple way to test if your server is vulnerable is to use an online checker. The next picture shows that yoursite.com is vulnerable. Online tool can be found at the following address: https://filippo.io/Heartbleed/

heartbleed_vulnerable

Note that you can specify another port when you write your server’s URL because by default this tool try only the port 443. To be sure that this information is correct, you can check the build date of the openSSL software in the server using the next command:

root@myserver:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan  8 20:45:51 UTC 2014

If the built date is before 7th April 2014 and after 2012, you must conclude that the version of OpenSSL is vulnerable to heartbleed flaw.

Upgrade OpenSSL

The simple way to have the last build of OpenSSL is to upgrade the linux distribution.

root@myserver:~# apt-get dist-upgrade
root@myserver:~# reboot

After reboot, recheck the openSSL version. The build date should be 7th April 2014.

root@myserver:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014

Now, you can make the online test again and the output should be the following:

heartbleed_unvulnerable

 If you know another solutions (maybe better), please contact me 🙂

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.