OpenSSL upgrade prevent Heartbleed vulnerability problem

Source: Internet
Author: User
Tags install openssl openssl openssl binaries openssl library openssl version centos ssl certificate cve

Post an informed answer:

There is also a service that tests whether the Web site is affected: Test your server for Heartbleed (cve-2014-0160) (now long 503)

According to the description on the page, this OpenSSL implementation vulnerability can obtain the sensitive memory data on the host in the handshake phase, even including the SSL certificate private key! The loophole appeared in 2012 and was only recently repaired yesterday (April 7, 2014). To ask the information security professionals who are aware of this vulnerability, what is the scope of its availability and impact? If so, has this 0day been widely used?

Very serious vulnerabilities, involving the opening of the heartbeat extension of the OpenSSL version 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1
Just looked at our server (Gentoo), using the 1.0.1c threat version, but we did not open the heartbeat, so it will not be a real threat, but still patched to prepare for a rainy time.
If you just want to check that your server is not under threat, now there is a ready-made tool that can be used
Titanous/heartbleeder Lu GitHub
You can also use the following OpenSSL command directly to determine
Expand source

This command only tells you if you have enabled heartbeat, but it does not indicate whether you are under threat, and you need to combine the OpenSSL version to determine.

Hacker News Someone has given this script, can detect the Alexa top million web site to open Heartbeat server
Expand source

Download Alexa top 1,000,000 Websites for free
I wrote a bash script to check the top 1000 websites and huge percentage of them ...
I ran for a little while, but I didn't seem to find any valuable information. In fact, Heartbeat as a CRM in the OpenSSL to use the opportunity is not much, plus a large site response is very rapid, not easy to appear big flaws. It is unclear whether the 0Day was used before it was released.

Now all major distributions have been patched, please update as soon as possible.

I am using the CentOS, currently officially said to be threatened by the version 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1. The "Heartbleed" vulnerability was fixed in the OpenSSL 1.0.1g version. All centos6.5 systems running OpenSSL 1.0.1e (openssl-1.0.1e-16.el6_5.4) are at risk, and seemingly only 6.5 are at risk.

Check your OpenSSL version first, the following command:



#openssl version-a//Plus-a parameter will show more detail

Also or

#yum Info OpenSSL//redhat series can be used

Ubuntu and Debian can use the following command:

#dpkg-query-l ' OpenSSL '

All right, brother is using the OpenSSL 1.0.1f, the threatened version. Oh, real pit. But did not open Heartbleed, and did not set HTTPS access, no impact, but still upgraded.

Enter the command to upgrade the OpenSSL version:

#yum Clean all && yum update "openssl*"//redhat series available with this

Ubuntu and Debian can use the following command:

#apt-get Update
#apt-get Upgrade

openSUSE Use the following command:

#zypper Update

Make sure you are installing a openssl-1.0.1e-16.el6_5.7 version or an updated version. Yum source does not have this package, you can only download the RPM package installed. I reckon there is.

Install openssl-1.0.1e-16.el6_5.7 version for Mao? Since this version has been repaired, see Another reason is that there is no openssl-1.0.1g version of my yum source.

Then execute the following command to check which processes are still using the deleted old version of the OpenSSL library:

#lsof-N | grep SSL | grep DEL

No, it's normal. If so, you'll have to restart the process of using the old version of the OpenSSL library. So, I do not bother to restart, but also small blog, directly restart the server.

If possible, it is recommended that you regenerate the SSL private key, change the password, and so on.

Note: You can also use the following command to check your installed version of the OpenSSL when the patch, because each fix the vulnerability, after patching, the package itself will be recorded in the log (Change-log) the information. The order is as follows:

# rpm-q--changelog openssl-1.0.1e | Grep-b 1 cve-2014-0160//cve-2014-0160 is the code for this loophole, can go to OpenSSL's website to check


* Mon APR 2014 Tom 谩 screw Mr 谩 Z <> 1.0.1e-16.7
-Fix cve-2014-0160-information disclosure in TLS Heartbeat extension

This version has fixed this vulnerability.


2014.4.9 Update the direct source installation openssl1.0.1g version.

Download the OpenSSL 1.0.1g version first, the following command:


And then download this version of the MD5 check pack:


Then verify that the OpenSSL package has been maliciously modified:

#md5sum openssl-1.0.1g.tar.gz | awk ' {print $} ' | Cmp-openssl-1.0.1g.tar.gz.md5

If the check is fine, then unpack the package and order:

#tar-ZVXF openssl-1.0.1g.tar.gz//Decompression openssl-1.0.1g.tar.gz

Enter this uncompressed directory:

#cd openssl-1.0.1g

Enter the following command to compile, install, I set some important parameters directly, because the other parameters for me is useless. If you need a parameter, add it yourself. Input:


#make && make Install

#./config shared--prefix=/usr/local--openssldir=/usr/local/ssl//Generating dynamic libraries

#make Clean

#make && make Install

Or you do not add any parameters, completely with the default:

#./config && make && make install

In about five or six minutes, compile and install. If there is no problem, continue to enter the following command, manual soft chain new OpenSSL binaries:

#ln-sf/usr/local/ssl/bin/openssl ' which OpenSSL '

Finally reboot the server (reboot process troublesome), enter:


After the reboot, enter the following command to detect the OpenSSL version:

#openssl version


OpenSSL version

Tutorial over!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.