< Previous by Date Date Index Next by Date >
  Thread Index  

[reSIProcate-announce] reSIProcate and the OpenSSL "heartbleed" attack



Most people have probably already heard about the OpenSSL "heartbleed"
bug.  It is a critical security vulnerability for TLS users.  It is
CVE-2014-0160

In future, alerts of this type will only be sent to the new
resiprocate-announce mailing list.  Please make sure you are subscribed,
it is fully moderated to ensure that only important/essential emails appear:
http://list.resiprocate.org/mailman/listinfo/resiprocate-announce

For people using official packages on a stable Linux distribution, it
should be possible to secure your SIP and TURN services using the
procedure below.  The distribution maintainers have already updated the
SSL libraries and the package management tool (apt, yum, ...) should
install it automatically.

* make sure your package manager is configured to get security updates
(e.g. check /etc/apt/sources.list on Debian, does it contain
security.debian.org?)
* update the libssl package (e.g. Debian users can do "apt-get update &&
apt-get upgrade")
* stop the service (e.g. "service repro stop")
* create new key pair (PEM private key file)
* request a new certificate from the CA
* install the new private key and certificate PEM files over the top of
the told PEM files
* start the service again (e.g. "service repro start")

Do not create the new private key or CSR on a system where any service
is still running with the vulnerability.  Otherwise, your new key could
potentially be leaked before you have secured the server.