Amazon Affiliate Link

Amazon logo to be clicked to go to Allison's affiliate link
From another country but still want to support the show via Amazon? Follow this link

Want to Help the show? Click here!
Amazon Affiliate, Donate,
Buy Logo Stuff & More

Past Episodes

How to Update OpenVPN for Heartbleed OpenSSL Vulnerability

After the Heartbleed OpenSSL vulnerability was exposed, Donald Burr of otakunopodcast wrote up instructions on how to verify the version of OpenSSL we’re running, and how to update it. Here are his instructions:

If you run the command:

port deps openvpn

it will show you what other MacPorts ports that openvpn depends on. If openssl is *not* in that list, then that means MacPorts used the Apple-included version of openssl when building openvpn, and so you’re fine.

If, however, openssl *is* in that list, we now need to check what version of openssl was used. Run the command:

port installed openssl

This command will list out what version of openssl is installed.

If it is version 0.9.8, or version 1.0.0, then you are fine. If, on the other hand, it is version 1.0.1a through 1.0.1f, then you are using the vulnerable version of openssl and you must upgrade. This vulnerability was fixed in openssl version 1.0.1g, so if that version (or a later version) installed then you are also fine.

If you need to upgrade openssl, then follow these steps. First thing you need to do is update the MacPorts ports tree by running the command:

sudo port selfupdate

You may see an error about MacPorts base, you can ignore that. After this is done, we need to check what port upgrades are available. Run this command:

port outdated

and look for a line similar to this:

openssl 1.0.1f < 1.0.1g

This indicates that an upgrade to openssl is available. (In fact I understand that the MacPorts team have released an upgrade to the non-vulnerable version of openssl.)

Finally, to upgrade the openssl port itself, run:

sudo port upgrade openssl

Now you can rerun the command:

port installed openssl

And you should see the new version of openssl with the word (active) next to it, and the old version as well. You should uninstall the old version via the command below (assuming your old version is @1.0.1e_1).

sudo port uninstall openssl @1.0.1e_1

At this point you will probably want to re-generate all of your VPN certificates and keys. Just follow Allison’s clearly written ScreenSteps tutorial 🙂

Start at the step “SECTION 6 – Donald’s Nifty Scripts of Doom”