0

I've updated my Ubuntu server to use OpenSSL 1.0.1g and when I run sudo openssl version -a I get OpenSSL 1.0.1g 7 Apr 2014 built on: Sat Apr 19 14:15:45 UTC 2014 platform: linux-elf

However, sites like https://filippo.io/Heartbleed/ are still returning my site as vulnerable to Heartbleed. I have restarted the server, not sure what else I have to do.

Is there a way to find any services that are currently running and are vulnerable to the Hearbleed security issue?

Anyone else having this problem?

Brian Weinreich
  • 99
  • 1
  • 9

2 Answers2

1

I can think of a few problems that would cause this:

  1. Possibly some form of a caching issue, not sure if you have any caching enabled on your sites, but I would look there.
  2. Apache being built on an older OpenSSL version. In this case you need to recompile it, or depending on OS use yum/apt-get to remove it and reinstall it.
  3. Did you remember to restart Apache after making the change to OpenSSL?

If you provide more details I may be able to assist further.

David Eisen
  • 633
  • 5
  • 21
0

Heartbleed can be exploited if you have a service running, that is actively using a vulnerable openssl version.

This could be a service providing https. After fixing the openssl-stack (like you tried to do) and after verifying the service (like you did) the last step, after you are not vulnerable any longer, is to treat all involved keys as compromised.

That is: Mark them as compromised and get new ones.

Nils
  • 7,657
  • 3
  • 31
  • 71