Nine Steps to Defeating the Heartbleed Bug
Users unable to immediately upgrade OpenSSL to 1.0.1g can instead recompile OpenSSL with -DOPENSSL_NO_ HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
Codenomicon warns users that “even though the actual code fix may appear trivial,” use the OpenSSL patch.
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4; Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11; CentOS 6.5, OpenSSL 1.0.1e-15; Fedora 18, OpenSSL 1.0.1e-4; OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012); FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013; NetBSD 5.0.2 (OpenSSL 1.0.1e); OpenSUSE 12.2 (OpenSSL 1.0.1c)
Accuvant Labs says the following tools can help determine exposure: Use SSL Command-Line and run “openssl version -a” to discover your version information; Qualys SSL Labs provides a free, web-based testing mechanism of any SSL web server on the public Internet.; A standalone Python tool identifies whether a system is vulnerable.
The server option Perfect Forward Security, which is rare but powerful, should protect past communications from retrospective decryption, according to Codenomicon.
Many third-party products and appliances have implemented OpenSSL, requiring updates. As a result, many workarounds may not be possible without vendor support, says Accuvant, so follow up with your third-party vendors.
Accuvant recommends: Regenerating the SSL private key, starting with externally facing systems; Rotating and revoking SSL certificates on externally facing systems; Restarting all web servers to terminate any live session IDs that may have been disclosed during an attack.
Change passwords for all accounts, including: Single sign-on platforms that may have interacted with the host; Appliance web interface logins that may use OpenSSL and Apache; Active directory accounts that may have been used for back-end authentication.
Updating browser configurations will reject revoked certificates. Not all browsers automatically check for revoked certificates, including some versions of Chrome and Internet Explorer, according to Accuvant.