"Heartbleed" OpenSSL Questions

  • Friday, 11th April, 2014
  • 22:19pm

It recently came to light that there was a serious programming error within OpenSSL, endangering encryption keys and data of SSL connections on the Internet. This allows anyone to read out the memory of vulnerable servers. Specifically, this means an attacker can read keys, passwords and other private information. There is more information about the bug at http://heartbleed.com. Additionally you can check whether you are vulnerable using GlobalSign's SSL checker https://sslcheck.globalsign.com/en_GB.

Many services other than HTTPS use SSL; e-mail, VPN and other services. It is extremely important that these services are also secured as soon as possible.  This announcment covers our response and the action we would recommend VPS and dedicated server customers take.

Our response

All Insight Hosting infrastructure and shared web hosting servers (Small Business Hosting, Businss Hosting Plus, Business Plus E-Commerce) were patched on Tuesday morning as soon as the vulnerability was announced. We have also reissued our own SSL certificates to secure our customers' data.

We are currently setting up a bulk reissue process, once in place we will automatically reissue and install all shared web hosting certificates; shared hosting customers do not need to do anything.

All VPS, Hybrid Server and dedicated server customers should check if they are affected

Windows servers – Review any applications that have been installed as they may be bundled with OpenSSL libraries. (Our standard build has no vulnerable applications installed).

Linux servers – Inspect the installed OpenSSL library.  The OpenSSL version can be viewed via the command line with the following command: openssl version-a

Centos users can check the “built on:” date is on or after April 8 2014 for confirmation they are running a patched version.

However this is not meaningful alone, since the distributions do not necessarily adjust the version number of the update and you will have to double check the installed package via other means if a vulnerable version is displayed.

Vulnerable systems if unpatched: CentOS-6, Debian-7, Fedora, Ubuntu, FreeBSD
Not vulnerable systems: CentOS-5, Debian-6, Suse-11, Windows Server

For clarity here is a list of OpenSSL branches:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    • Centos6 - Openssl-1.0.1e-15  is vulnerable
    • Centos6 - Openssl-1.0.1e-16.el6_5.4 is vulnerable
    • Centos6 - Openssl-1.0.1e-16.el6_5.7  is NOT vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If you are running a vulnerable OpenSSL version then we recommend that you patch your servers and restart any services utilising OpenSSL libraries.

For most distributions of Linux security updates are already available:

  • Debian / Ubuntu: apt-get update; apt-get -y install openssl libssl1.0.0
  • Fedora / CentOS: yum -y update openssl

All affected VPS & Dedicated server customers with SSL certificates

Customers with Insight Hosting issued SSL certificates will be contacted either by ourselves or our Certificate Authority in due course and at this point you will be able to request a certificate revoke and reissue from us.

Customers with independently sourced SSL certificates should consider requesting a revoke and reissue from their certificate vendor and may be directly contacted by their Certificate Authority in due course.

Edit 11/04/13

Problems with sending emails after SSL update:

Due to the Heartbleed bug we have had to update all of our own SSLs including on our shared mail servers. We are seeing Mac users reporting they are getting errors such as “Invalid Certificate Error” or “Invalid SSL” when trying to send mail. If you are seeing this error please do the following and you should then be able to send mail as expected:

  • Go to Applications
  • In the utilities folder click on the icon for keychain access
  • In this application find the mail server that you are using and right click and click “delete”

This should then allow you to connect to the mail server correctly.

« Back