OpenSSL HeartBleed Bug – Explanation and fix

Heartbleed is a recently discovered small bug that relates to the OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism.The bug is present only in the OpenSSL versions 1.0.1 through 1.0.1f!By exploiting this bug, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain data such as:1) private keys2) TLS session keys3) confidential data4) session ticket keys.The remedyYou can test if a given server is vulnerable using this tool: http://filippo.io/Heartbleed/ (enter your domain as for example: yourdomain.name:443)To check the OpenSSL version running on your server, use the following command via SSH:CentOS# openssl versionOpenSSL 1.0.1e-fips 11 Feb 2013Ubuntu# dpkg -s openssl | grep VersionVersion: 1.0.1-4ubuntu5.6Having identified a problem, the first step is to patch OpenSSL. Fortunately this is relatively easy. The 1.0.1g version is not vulnerable, and Debian has a patch. You can also recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option.Installing OpenSSL 1.0.1g on CentOS:# cd /usr/local/src# wget -N http://www.openssl.org/source/openssl-1.0.1g.tar.gz# tar -xzvf openssl-1.0.1g.tar.gz# cd openssl-1.0.1g# ./config# make# make install# alias cp=cp# cp /usr/local/ssl/bin/openssl /usr/bin/openssl# cd /usr/local/ssl/include# ln -s /usr/local/ssl/include/openssl opensslOnce done, check the version again and restart the web server:# openssl versionOpenSSL 1.0.1g 7 Apr 2014Restart any services using SSL.Installing OpenSSL 1.0.1g on Ubuntu:# apt-get update# apt-get install -y openssl libssl1.0.0Restart any services using SSL.What’s the TLS Heartbeat mechanism ?The TLS Heartbeat mechanism is designed to keep connections alive even when no data is being transmitted. Heartbeat messages sent by one peer contain random data and a payload length. The other peer is suppose to respond with a mirror of exactly the same data.If you want to read more about this, the best written article I’ve found on this topic can be found here: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html