Full Disclosure: Heartbleed

I find it impossible to believe that you could find your way to my blog without knowing what the Heartbleed vulnerability is, but just in case, more information can be found here. It has been all over every sort of news. If you read news on the Internet, you HAD to have heard about it.

The CodeWatch site was vulnerable. In an effort to support TLS 1.2 and cryptographic ciphers that utilize PFS, I was on one of the latest versions of OpenSSL, 1.0.1e to be exact. Within a day after the announcement I had OpenSSL patched, and within two days or so I had re-generated my private key and had my CA reissue my certificate based on the new key, but I am just now getting around to posting about it. If you use the site for the CodeWatch web app, then you should change your password(s) just in case.

Here is a list of actions I took to remediate the vulnerability:

  1. Downloaded and compiled the patched version of OpenSSL (1.0.1g).
  2. Compiled the latest stable version of Nginx against OpenSSL 1.0.1g. This was performed externally on the web server. I also compiled several internal systems to remediate this vulnerability inside the network.
  3. Re-generated the web server’s private key.
  4. Issued a new certificate signing request using the new private key.
  5. Issued a new certificate using the certificate signing request with my Certificate Authority.
  6. Revoked the old certificate.
  7. Installed the new key and certificate on the web server

What a pain! The good news (I guess, kind of?) is that even if my private key had been compromised and traffic from the site intercepted, an attacker should still not be able to decrypt the data because the CodeWatch site only supports PFS ciphers and has been configured this way from the beginning.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: