0

Was my server vulnerable to heartbleed if TLS has been disabled in the past?

In apaches vhost configuration the parameter sslCipherSuite contains only SSLv2 afaik this doesn't contain TLS.

Hannes
  • 103
  • 3
  • What makes you think TLS was disabled? – MadHatter Apr 17 '14 at 16:00
  • @MadHatter In apaches vhost configuration the parameter sslCipherSuite contains only SSLv2 afaik this doesn't contain TLS. – Hannes Apr 17 '14 at 16:09
  • 4
    If you only had SSLv2 enabled, then you were vulnerable to the hundreds of OTHER security issues you left yourself open to. Heartbleed is the least of your concerns; your data got out by many other ways which were patched years ago. – Michael Hampton Apr 17 '14 at 18:16
  • Could you indicate whether you have changed the Apache2 configuration recently? If the configuration is unaltered you could [test your server for Heartbleed](http://filippo.io/Heartbleed). – 030 Apr 17 '14 at 16:39
  • I've updated openssl recently so checking for heartbleed doesn't make sense. – Hannes Apr 17 '14 at 16:42
  • Some of our websites were vulnerable according this website. We have revoked the certificates. Requested new p12, configured the new key and cer in Apache2 executed the `Heartbleed test` again and subsequently our websites passed the test. AFAIK it is not possible to guarantee that there was no Heartbleed before your update of OpenSSL. So in your case I would revoke the p12 for your website and request a new one to be sure. – 030 Apr 17 '14 at 16:45
  • You may try some [alternativ testers](http://possible.lv/tools/hb/) that will tell you whether you *would be* vulnerable if you still had a bad version of OpenSSL. – Hagen von Eitzen Apr 17 '14 at 16:46
  • AFAIK it is impossible to guarantee that there was no Heartbleed before you have updated OpenSSL on your server I would revoke the keys. You could read this article about [Heartbleed OpenSSL Vulnerability and rekeying](https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability). If your key was compromised this could lead to several [consequences](http://business.financialpost.com/2014/04/08/heartbleed-bug-found-in-key-encryption-technology-risks-exposing-private-data/?__lsa=c6f4-7f9d). – 030 Apr 17 '14 at 16:56
  • @HagenvonEitzen Thanks for the Link, that's somehow what i was looking for. – Hannes Apr 17 '14 at 17:01

1 Answers1

2

Nopes, you are not vulnerable to heartbleed BUT as Micahel Hampton so clearly and lucidly has pointed out that in this case heartbleed is the least of your concerns. I am assuming that your site does not use really concern itself with security else SSLv2 would have been ditched years ago. A suggestion to enable the site to be made more secure is to test with SSLLabs (Qualys) and fix the issues so discovered. https://www.ssllabs.com/ssltest/ Also if the apache configuration has "SSv2" then it might also be possible that your system admin might not have patched the server with security updates. This is a jump but to me it does not see far fetched since there is "SSLv2" in the apache configuration - it might be two different set of engineers responsible for but it is better to recheck and confirm. Also, TLS builds upon SSL, there are lots of texts that provide details on that. The wiki page on "TLS" is a good start. Also, with sslv2 being enabled, it would also be a safe bet to rekey the certificate as well. Not sure if the vulnerabilities associated with weaker cipher suites - a hallmark of SSLv2 - might have compromised the key material. Revoke and replace the certificate would be a good idea.

Khanna111
  • 234
  • 2
  • 6