Wednesday, April 09, 2014

Updating Phusion Passenger to Mitigate the Heartbleed Bug

Install Passenger/Nginx with Heartbleed Mitigation

The following steps may be taken to mitigate the OpenSSL vulnerability.
Compile the heartbleeder vulnerability tester
Locally:
$ brew install go # Mac only
$ mkdir -p ~/Code/go
$ export GOPATH=$HOME/Code/go
$ cd $GOPATH
$ go get github.com/titanous/heartbleeder
$ go build heartbleeder
$ bin/heartbleeder example.com

Update Passenger/Nginx

On your servers:
$ gem update passenger
$ export EXTRA_CXXFLAGS="-DOPENSSL_NO_HEARTBEATS"
$ export EXTRA_CFLAGS="-DOPENSSL_NO_HEARTBEATS"
$ passenger-install-nginx-module
# Update your nginx.conf with the new Passenger path
# Restart your nginx processes

Check your https web servers

$ bin/heartbleeder example.com
Author: Patrick Morgan (patrick -at- patrick-morgan.net)
License: Creative Commons. Distribute Freely!

2 comments:

Hongli said...

The Nginx installed by passenger-install-nginx-module should be dynamically linked to OpenSSL. If you upgrade the system's OpenSSL your Nginx installation should be fine; no need to rerun passenger-install-nginx-module.

Unless you only have the OpenSSL static library installed, which will cause passenger-install-nginx-module to statically link to OpenSSL. In that case, you have to rerun passenger-install-nginx-module every time you upgrade OpenSSL.

Patrick said...

Thanks for the clarification. Updated my post!