From a47e4db3545657a677a8a6f58ebdf295014c1662 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 9 Apr 2014 19:06:29 +0100 Subject: [PATCH] Heartbleed vulnerability mitigation --- README.md | 2 ++ beaglebone.txt | 50 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f2753caf..0bd333a6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ +**Note: for information on fixing the "heartbleed" vulnerability see the section called "Regenerating SSL certificates"** + FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP. beaglebone.txt is in Emacs org-mode format. diff --git a/beaglebone.txt b/beaglebone.txt index df11c808..a81e6144 100644 --- a/beaglebone.txt +++ b/beaglebone.txt @@ -478,7 +478,7 @@ wget http://freedombone.uk.to/hashlet-1.0.0.patch Install some dependencies. #+BEGIN_SRC: bash -apt-get install gnupg build-essential libgcrypt11-dev +apt-get install gnupg build-essential libgcrypt11-dev texinfo #+END_SRC Verify it. @@ -508,6 +508,7 @@ tar -xzvf hashlet-1.0.0.tar.gz cd hashlet-1.0.0 patch -p1 < ../hashlet-1.0.0.patch chmod o+rw /dev/i2c* +./autogen.sh ./configure make make check @@ -544,7 +545,7 @@ Add the following: while : do -hashlet --bus=/dev/i2c-2 random > /dev/hashletrng # 32 bytes at a time... +hashlet --bus=/dev/i2c-2 --Bytes 32 random-bytes > /dev/hashletrng done #+END_SRC @@ -6268,6 +6269,51 @@ apt-get remove --purge mysql\* apt-get clean updatedb #+END_SRC +** Regenerating SSL certificates +If a security vulnerability arrises which requires you to regenerate your SSL certificates, such as [[http://filippo.io/Heartbleed]["heartbleed"]], then this can be done as follows: + +Obtain the latest updates: + +#+BEGIN_SRC: bash +apt-get update +apt-get upgrade +#+END_SRC + +Run *makecert * for each of your sites. + +Recreate the XMPP certificate: + +#+BEGIN_SRC: bash +openssl genrsa -out /etc/ssl/private/xmpp.key 4096 +openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650 +chmod 600 /etc/ssl/private/xmpp.key +chmod 600 /etc/ssl/certs/xmpp.crt +chown prosody:prosody /etc/ssl/private/xmpp.key +chown prosody:prosody /etc/ssl/certs/xmpp.crt +#+END_SRC + +And regenerate the IRC server keys: + +#+BEGIN_SRC: bash +openssl genrsa -out /etc/ircd-hybrid/key/ircd.key 4096 +openssl req -new -x509 -key /etc/ircd-hybrid/key/ircd.key -out /etc/ircd-hybrid/key/ircd.pem -days 3650 +chmod 600 /etc/ircd-hybrid/key/ircd.key +chmod 600 /etc/ircd-hybrid/key/ircd.pem +#+END_SRC + +As an added precaution you may wish to regenerate your ssh host keys: + +#+BEGIN_SRC: bash +rm /etc/ssh/ssh_host_* +dpkg-reconfigure openssh-server +#+END_SRC + +Then reboot the server with: + +#+BEGIN_SRC: bash +reboot +#+END_SRC + * Deprecated The following items have been deprecated until such time as a successful installation is achieved.