How do I fix the CVE-2014-0224 OpenSSL vulnerability?

I just scanned my site with this tool and it said my site was vulnerable to CVE-2014-0224. How do I fix it?

Do I need to get a new cert issued? The one I have I purchased from enom. Is it their fault? Or is it my web server's (webfaction's) fault?

It also says:

RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available.

and

The server does not support Forward Secrecy with the reference browsers.

I don't know if these are all faults of the SSL cert or my server needs to support serving it correctly?

mpen

Posted 2014-06-29T20:39:57.910

Reputation: 9 109

What kind of server is this? VPS? Shared hosting? Ubuntu? CentOS? – Paul – 2014-06-29T20:43:56.730

@Paul Shared hosting, Centos 6 - 64bit. – mpen – 2014-06-29T20:49:06.033

1Assuming you don't have root access, contact your ISP and have them fix it, or switch ISPs. – Paul – 2014-06-29T20:50:39.750

@Paul ISP? You mean hosting provider? "ISP" is who I buy my home internet connection from. – mpen – 2014-06-29T20:51:20.393

https://en.wikipedia.org/wiki/Internet_Service_Provider – Paul – 2014-06-29T20:54:12.357

2@Paul Didn't know ISP included "Hosting ISPs", thought it specifically meant "Access providers". Fair enough. – mpen – 2014-06-29T23:46:51.757

Answers

You need to upgrade the version of OpenSSL on your server. The vulnerability is in the software code itself.

edit: important text is:

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Rex Sheffield

Posted 2014-06-29T20:39:57.910

Reputation: 126

This is the only redemption that should be done. You should also revoke the previous certificate AFTER you patch and restart. – Ramhound – 2014-06-29T23:21:00.837

CVE-2014-0224 requires an update of openssl.

RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available.

and

The server does not support Forward Secrecy with the reference browsers.

are mere webserver configuration issues.

Something like this (assuming an apache):

SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users...
Header add Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRS
A+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LO
W:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA
128-SHA:AES128-SHA'

is recommended by https://bettercrypto.org / Applied Crypto Hardening. Usage of HTTP Strict Transport Security (hsts) should be carefully judged, as it may break things, and drastically increase server load. From the security point of view, it is recommended.

Your certificate probably is fine, but if it has been used with a heartbleed exploitable version of openssl, you do have to replace it (it might be compromised).

However, upgrading openssl and configuring the webserver will require superuser privileges. If you are using shared hosting, theres nothing you can do beside asking the hosting company to fix it. And they, probably won't give a damn.

blackhat.blade

Posted 2014-06-29T20:39:57.910

Reputation: 156

I've submitted a ticket with them. If they say "no" I'll switch to a VPS. I've already got one, but I don't want to go through the hassle of transferring and then figuring out how to configure this myself. Thanks for the info! – mpen – 2014-06-29T23:49:37.293