Securing Your Server Against the Heartbleed Vulnerability

Due to a major security flaw in OpenSSL, you should update your server to the newest version of the software. The following versions of OpenSSL are affected:

  • 0.9.8
  • 1.0.0
  • 1.0.1 through 1.0.1f

Note: Only customers using dedicated and virtual private servers need to complete the steps listed in this article steps. These steps do not apply to Ubuntu-based servers, however.

To check your server's version of OpenSSL, run the following command:

rpm -qa openssl

If you're affected, you need to complete the following steps to update your version of OpenSSL and secure your server.

To Secure Your Server Against the Heartbleed Vulnerability

  1. Edit the file /etc/yum.repos.d/CentOS-Base.repo, and change the following highlighted lines:
    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
    failovermethod=priority
    #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
    to
    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    #mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
    failovermethod=priority
    baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  2. Clean the yum repositories on the server by running the following command:
    yum clean all
  3. Update OpenSSL on the server by running the following command:
    yum update openssl
    This installs version openssl-1.0.1e-16.el6_5.7.
  4. Confirm the update was installed successfully by running the following command:
    openssl version -a
    The output will display the following:
    'built on: Tue Apr 8 02:39:29 UTC 2014'
    Additionally the fix can be confirmed that it is in place by running the following command:
    rpm -q --changelog openssl | head
    The first few lines will show the following:
    'fix CVE-2014-0160 - information disclosure in TLS heartbeat extension'
  5. Restart Apache or any other web server which is currently installed on the server, this will allow the new version of Open SSL to be used.
  6. Edit the file /etc/yum.repos.d/CentOS-Base.repo, and change the following highlighted lines to revert it to the original version:
    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    #mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
    failovermethod=priority
    baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
    to
    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
    failovermethod=priority
    #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  7. Re-key any SSLs your server uses. If you use our SSLs, you can find those instructions in Rekey my certificate.