Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [heartbleed]

The Heartbleed bug is a vulnerability in OpenSSL's TLS implementation. The CVE ID for this issue is CVE-2014-0160

The Heartbleed vulnerability allows stealing the information which is protected by SSL/TLS encryption, as well as potential disclosure of private keys.

Any application using OpenSSL for its TLS implementation is potentially vulnerable, which means there is large variety of vulnerable applications such as Web browsers, Email clients and Instant Messaging softare.

See http://heartbleed.com or CVE-2014-0160 for more information.

63 questions
0
votes
1 answer

Was my server vulnerable to heartbleed if TLS has been disabled?

Was my server vulnerable to heartbleed if TLS has been disabled in the past? In apaches vhost configuration the parameter sslCipherSuite contains only SSLv2 afaik this doesn't contain TLS.
Hannes
  • 103
  • 3
0
votes
1 answer

OpenSSH and heartbleed?

I just updated a Debian Wheezy server for the first time today, after the heartbleed bug. OpenSSL is not installed on this server, so I thought the server was not affected, and therefore it was put on the low priority list. In the process of…
user216760
  • 3
  • 2
0
votes
2 answers

Openssl heartbleed update not working with compiled Apache 2.4.7

We are still having heartbleed issues with one of our servers. We did the update with yum and restarted apache and any service that was using the vulnerable version of openssl. When we test our site to see if it is still vulnerable it says that it…
Tyler Knotek
  • 1
0
votes
2 answers

Which versions of win32 tcnative-1.dll are succeptible to heartbleed

We are trying to determine our window of vulnerability for Heartbleed. Does anyone have an idea of how to determine which version of OpenSSL was used to build a given Tomcat Native DLL? Our server has had Tomcat 6 on it (not sure which version of…
Kevin Day
  • 193
  • 6
0
votes
2 answers

Is the danger of the heartbleed bug worse than using non-ssl connections?

Trying to understand everything while reading http://heartbleed.com/ This sentence Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will this sounds pretty…
Moak
  • 604
  • 2
  • 10
  • 29
0
votes
1 answer

Will tcnative-1.dll version 1.1.30 work with tomcat 7.0.29 without any issues?

In order to fix the Heartbleed vulnerability a new release of the tomcat java native libraries is being created. Will this release work with older versions of Tomcat 7 such as 7.0.29, or will this possibly cause problems with code running on the…
rs232
  • 113
  • 3
0
votes
1 answer

Could Certificate Authorities have been compromised by the Heartbleed bug?

OpenSSL is widely used and was affected by the Heartbleed bug for years. A lot of services were impacted and everybody is trying to recover from this bug by updating there system, generating new certificates, revoking the old ones, and potentially…
kunnix
  • 3
  • 2
0
votes
0 answers

How to better block phishing spam due to heartbleed?

I imagine it won't take long for spammers to recognize that Heartbleed is an ideal way to do phishing. I am thinking of ways to mitigate the phishing risk, I mean just this time for the heartbleed bug, not generally. End-users will likely receive…
Thomas Weller
  • 115
  • 9
0
votes
2 answers

Possible Heartbleed Compromise recovery

I have a web-server, (complete with user account and payment system), that was vulnerable to the Heartbleed attack. What I'm wondering is: How can I detect if my server has been compromised? How do I recover from a heartbleed attack? How do I…
Azzie Rogers
  • 125
  • 4
0
votes
1 answer

Heartbleed testing tools do not recognize reissued certificates (PositiveSSL Wildcard + Amazon ELB)

In response to the Heartbleed news, I have upgraded OpenSSL on my production server and am now trying to reissue the SSL certificate. I am using a PositiveSSL Wildcard certificate on an Amazon ELB. I have followed the below instructions to reissue…
Hakan B.
  • 185
  • 1
  • 1
  • 8
0
votes
0 answers

Heartbleed: Is openssh affected?

I've read the site about HeartBleed, but still wonder if it affects openssh servers? Most people talk about HTTPs and VPN.
neutrinus
  • 1,095
  • 7
  • 18
-1
votes
2 answers

Openssl upgrade from source

I have upgraded the openssl version on my server to the latest version of openssl but the libraries that the reverse proxy server is using is pointing to . strings /usr/lib64/libssl.so.10 | grep "^OpenSSL " OpenSSL 1.0.1e-fips 11 Feb…
zeemz
  • 109
-1
votes
1 answer

Heartbleed not fixed by Openssl and server upgrade

I have inherited a server in one of our Dev environments and found out straight away that it was not patched when the heartbleed was discovered. Now, I've upgraded it - including all SSL libraries and I've regenerated self signed certificates, yet…
milosgajdos
  • 1,808
  • 2
  • 21
  • 29
-1
votes
1 answer

Heartbleed - Centos 6.5, Apache - should I recreate pair of default certificate and key

I am using Centos 6.5, Apache 2.2.15 with SSL. Due to heartbleed I have updated openssl to release 16.el6_5.7 and I have restarted the httpd service. I am using default Apache certificate and…
teo
  • 133
  • 1
  • 3
-1
votes
2 answers

Upgrade to secure openssl fails

Upgrade to secure openssl fails Method: have in /etc/apt/sources.list: deb http://security.debian.org/ wheezy/updates main contrib non-free Then do: apt-get update apt-cache policy openssl apt-get install openssl apt-cache policy openssl will show…
user216141
  • 1
1 2 3
4
5