Skip to content

Instantly share code, notes, and snippets.

@janko

janko/openssl.md

Last active August 29, 2015 13:58
Show Gist options
  • Save janko/10151048 to your computer and use it in GitHub Desktop.
Save janko/10151048 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL upgrade instructions
Raw
openssl.md

These are upgrading instructions for the new OpenSSL vulnerability, Heartbleed. This is only for Mac, and assumes you have Homebrew installed.

OpenSSL

You need to upgrade OpenSSL to at least version 1.0.1g.

$ brew update
$ brew upgrade openssl
$ brew link --force openssl
$ hash -r # refresh the executable lookup

Now $ openssl version -a should show the correct version (1.0.1g or higher).

OpenSSH

Since SSH is also running older version of OpenSSL, you'll need to update it also.

$ brew tap homebrew/dupes
$ brew install openssh
$ hash -r # refresh the executable lookup

Now $ ssh -V should show that it's installed with the correct version of OpenSSL (1.0.1g or higher).

Now the port 22 of your OS is still running the old version of SSH, so you need to change Program and ProgramArguments keys in /System/Library/LaunchDaemons/ssh.plist to point to the new OpenSSH (you'll need sudo accesss to change the file):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Disabled</key>
	<true/>
	<key>Label</key>
	<string>com.openssh.sshd</string>
	<key>Program</key>
-	<string>/usr/libexec/sshd-keygen-wrapper</string>
+	<string>/usr/local/sbin/sshd</string>
	<key>ProgramArguments</key>
	<array>
-		<string>/usr/sbin/sshd</string>
+ 		<string>/usr/local/sbin/sshd</string>
		<string>-i</string>
	</array>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SockServiceName</key>
			<string>ssh</string>
			<key>Bonjour</key>
			<array>
				<string>ssh</string>
				<string>sftp-ssh</string>
			</array>
		</dict>
	</dict>
	<key>inetdCompatibility</key>
	<dict>
		<key>Wait</key>
		<false/>
	</dict>
	<key>StandardErrorPath</key>
	<string>/dev/null</string>
	<key>SHAuthorizationRight</key>
	<string>system.preferences</string>
	<key>POSIXSpawnType</key>
	<string>Interactive</string>
</dict>
</plist>

And reload the plist:

$ sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

Now $ telnet localhost 22 should show the correct SSH version – SSH-2.0-OpenSSH_6.6 (or higher). (Press "Enter" to exit telnet.) This is taken from a StackOverflow question.

Ruby

Since Rubies so far were installed with an older version of OpenSSL, you'll maybe need to update them as well. I think it's not necessary if you're not actually using OpenSSL in your Ruby code.

If you're using ruby-build to install your rubies, Sferik released an update which includes the new OpenSSL, so use it to update your rubies.

@nbrownus
Copy link

nbrownus commented Jan 8, 2015

Doesn't work for me on Yosemite

Need to remove these lines from the plist:

    <key>SHAuthorizationRight</key>
    <string>system.preferences</string>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment