After the Heartbleed OpenSSL vulnerability was exposed, Donald Burr of otakunopodcast wrote up instructions on how to verify the version of OpenSSL we’re running, and how to update it. Here are his instructions:
If you run the command:
port deps openvpn
it will show you what other MacPorts ports that openvpn depends on. If openssl is *not* in that list, then that means MacPorts used the Apple-included version of openssl when building openvpn, and so you’re fine.
If, however, openssl *is* in that list, we now need to check what version of openssl was used. Run the command:
port installed openssl
This command will list out what version of openssl is installed.
If it is version 0.9.8, or version 1.0.0, then you are fine. If, on the other hand, it is version 1.0.1a through 1.0.1f, then you are using the vulnerable version of openssl and you must upgrade. This vulnerability was fixed in openssl version 1.0.1g, so if that version (or a later version) installed then you are also fine.
If you need to upgrade openssl, then follow these steps. First thing you need to do is update the MacPorts ports tree by running the command:
sudo port selfupdate
You may see an error about MacPorts base, you can ignore that. After this is done, we need to check what port upgrades are available. Run this command:
and look for a line similar to this:
openssl 1.0.1f < 1.0.1g
This indicates that an upgrade to openssl is available. (In fact I understand that the MacPorts team have released an upgrade to the non-vulnerable version of openssl.)
Finally, to upgrade the openssl port itself, run:
sudo port upgrade openssl
Now you can rerun the command:
port installed openssl
And you should see the new version of openssl with the word (active) next to it, and the old version as well. You should uninstall the old version via the command below (assuming your old version is @1.0.1e_1).
sudo port uninstall openssl @1.0.1e_1
At this point you will probably want to re-generate all of your VPN certificates and keys. Just follow Allison’s clearly written ScreenSteps tutorial 🙂
Start at the step “SECTION 6 Donalds Nifty Scripts of Doom”
1 thought on “How to Update OpenVPN for Heartbleed OpenSSL Vulnerability”
[…] How to Update OpenVPN for Heartbleed OpenSSL Vulnerability […]