How to fix the vulnerability of openssl issue on AWS.
EC2
1, Check openssl version
[root@web ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@web ~]# yum info openssl
Loaded plugins: priorities, security, update-motd, upgrade-helper
amzn-main | 2.1 kB 00:00
amzn-updates | 2.3 kB 00:00
852 packages excluded due to repository priority protections
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.1e
Release : 4.53.amzn1
Size : 3.8 M
Repo : installed
From repo : amzn-updates
Summary : Utilities from the general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
If your openssl release is not 37.66.amzn1, You should update openssl by yum update.
[root@web ~]# yum update openssl
============================================================================================================
Package Arch Version Repository Size
============================================================================================================
Updating:
audit x86_64 2.3.2-3.19.amzn1 amzn-main 258 k
openssl x86_64 1:1.0.1e-37.66.amzn1 amzn-updates 1.7 M
Updating for dependencies:
audit-libs i686 2.3.2-3.19.amzn1 amzn-main 84 k
audit-libs x86_64 2.3.2-3.19.amzn1 amzn-main 87 k
glibc i686 2.17-36.81.amzn1 amzn-updates 6.0 M
glibc x86_64 2.17-36.81.amzn1 amzn-updates 5.6 M
glibc-common x86_64 2.17-36.81.amzn1 amzn-updates 28 M
glibc-devel x86_64 2.17-36.81.amzn1 amzn-updates 1.1 M
glibc-headers x86_64 2.17-36.81.amzn1 amzn-updates 718 k
openssl-devel x86_64 1:1.0.1e-37.66.amzn1 amzn-updates 1.3 M
Transaction Summary
============================================================================================================
Upgrade 10 Package(s)
Total download size: 45 M
Is this ok [y/N]: y
Check the version of openssl again.
[root@web8 ~]# yum info openssl
Loaded plugins: priorities, security, update-motd, upgrade-helper
852 packages excluded due to repository priority protections
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.1e
Release : 37.66.amzn1
Size : 4.0 M
Repo : installed
From repo : amzn-updates
Summary : Utilities from the general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
Then restart the service using openssl such as apache.
[root@web ~]# /usr/sbin/apachectl stop
[root@web ~]# /usr/sbin/apachectl start
[root@web ~]# netstat -an|grep 80
tcp 0 0 10.0.1.175:57131 103.246.150.193:80 TIME_WAIT
tcp 0 0 :::80 :::* LISTEN
[root@web ~]# netstat -an|grep 443
tcp 0 0 :::443 :::* LISTEN
Reference:
https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/
ELB
Generate SSL certificate with the latest openssl command.
1. Generate SSL key
# openssl genrsa -des3 -out server2048.key 2048
