On 7th April, Heartbleed(CVE-2014-0160) shook both the tech-savvy world and the end-users alike. Majority of us use OpenSSL for one or the other reason. If it’s any version of OpenSSL from 1.0.1 through 1.0.1f, released between December 2011 & April 2014, then consider that you have already got compromised with security keys, private keys, passwords and other credentials. Let’s apply the patch to the bug and stop bleeding to it. Fixing the bug, OpenSSL officially had version 1.0.1g released on 7th of April 2014.
The OpenSSL versions(0.9.8 branch & 1.0.0 branch) released before December 2011 is not vulnerable. So fix is needed if you are using OpenSSL 1.0.1 through 1.0.1f.
I was using 1.0.1f and needed to upgrade quickly.
Now, I’m not discussing here OpenSSL installation method and concentrating of making things harmless.
Step1. Installed OpenSSL 1.0.1g. It’s time for damage control so took care of all the passwords and especially ‘private key’.
Step2. Revoked the current keys and got the new keys on this machine and the corresponding ssh remote machines(few). Created a KEY REVOCATION LISTS file ‘krl’ and then proceeded to revoke the current keys. Note: Please bear in mind seeing ‘.exe’ is because this is Cygwin at work on a Non-Linux machine(Making it work like Linux).
Checked that the key is not already revoked in reference with my only Key Revocation Lists file, krl. It shows Ok.
Revoked Keys here.
Tested again ensuring that keys are revoked.
Finally applied new keys on this host machine and the remote machines too, changed passwords etc. and am all set to good now. Thanks.