Securing Your Server Against the Heartbleed Vulnerability
Due to a major security flaw in OpenSSL, you should update your server to the newest version of the software. The following versions of OpenSSL are affected:
- 0.9.8
- 1.0.0
- 1.0.1 through 1.0.1f
Note: Only customers using dedicated and virtual private servers need to complete the steps listed in this article steps. These steps do not apply to Ubuntu-based servers, however.
To check your server's version of OpenSSL, run the following command:
rpm -qa openssl
If you're affected, you need to complete the following steps to update your version of OpenSSL and secure your server.
To Secure Your Server Against the Heartbleed Vulnerability
- Edit the file
/etc/yum.repos.d/CentOS-Base.repo
, and change the following highlighted lines:#released updatesto
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
failovermethod=priority
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
failovermethod=priority
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 - Clean the yum repositories on the server by running the following command:
yum clean all
- Update OpenSSL on the server by running the following command:
yum update opensslThis installs version openssl-1.0.1e-16.el6_5.7.
- Confirm the update was installed successfully by running the following command:
openssl version -aThe output will display the following:'built on: Tue Apr 8 02:39:29 UTC 2014'Additionally the fix can be confirmed that it is in place by running the following command:rpm -q --changelog openssl | headThe first few lines will show the following:'fix CVE-2014-0160 - information disclosure in TLS heartbeat extension'
- Restart Apache or any other web server which is currently installed on the server, this will allow the new version of Open SSL to be used.
- Edit the file
/etc/yum.repos.d/CentOS-Base.repo
, and change the following highlighted lines to revert it to the original version:#released updatesto
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
failovermethod=priority
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
failovermethod=priority
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 - Re-key any SSLs your server uses. If you use our SSLs, you can find those instructions in Rekey my certificate.