Wednesday, April 09, 2014

Updating Phusion Passenger to Mitigate the Heartbleed Bug

Install Passenger/Nginx with Heartbleed Mitigation

The following steps may be taken to mitigate the OpenSSL vulnerability.
Compile the heartbleeder vulnerability tester
Locally:
$ brew install go # Mac only
$ mkdir -p ~/Code/go
$ export GOPATH=$HOME/Code/go
$ cd $GOPATH
$ go get github.com/titanous/heartbleeder
$ go build heartbleeder
$ bin/heartbleeder example.com

Update Passenger/Nginx

On your servers:
$ gem update passenger
$ export EXTRA_CXXFLAGS="-DOPENSSL_NO_HEARTBEATS"
$ export EXTRA_CFLAGS="-DOPENSSL_NO_HEARTBEATS"
$ passenger-install-nginx-module
# Update your nginx.conf with the new Passenger path
# Restart your nginx processes

Check your https web servers

$ bin/heartbleeder example.com
Author: Patrick Morgan (patrick -at- patrick-morgan.net)
License: Creative Commons. Distribute Freely!