That’s because it only effected Debian and Ubuntu versions of OpenSSL.
RHEL was not impacted, because RHEL didn’t break it in their packages. This was a very specific problem, caused by a very specific change made by a Debian developer to the Debian package. So, only Debian, and Ubuntu which is 90% the work of Debian developers, had the problem.
But, I do agree that the problem is possibly overblown. However, github reported seeing several identical keys from different people–which is a pretty serious problem. If that’s the case in their relatively tiny userbase, then it would definitely be possible for a cracker to generate a few hundred keys using the buggy library, and then make a brute force attempt on millions of sites. They’d get a few hits, I reckon–though it would probably also take months. I don’t know that any black hat will be determined enough to exploit this specific hole rather than going after lower hanging fruit (like Windows boxes running unpatched IE, Outlook, etc.) which can be found at a rate of hundreds or thousands per day of searching. But, if I had any keys impacted by this I would revoke them and make new ones. All of my keys, including the Virtualmin package signing keys, were made on Fedora systems.
To quote:
So Where Are Those OpenSSH Key-based Attacks?
One of our readers contacted the handler on duty to see if we had seen any reports since then of active attacks concerning this attack vector. The standard SSH port (22/tcp) has been at normal levels for the past several weeks with one exception (on May 27-28) per the data at Dshield.
End quote
I told you it was all hype – not one ssl site has been hacked nor has there been any significant reports about any type ssh/ssl hacking.
If I may add a few tidbits that may save someone like me a few hours:
...
2) if you already have a passworded private key file, use this command to remove the password: openssl rsa -in key.pem -out keyout.pem
Hope this helps someone
This helped me out. Thanks!
Another tidbit: If you do have your pem file passworded, you can do "/etc/rc5.d/S99webmin start" as root in the console and enter the PEM password to start webmin.
I would really appreciate a 1.2.3 guide on how to set up TSL or SSL on postfix and dovecote to secure email on one virtual host. I have a godaddy ssl cert and have set up the domain to work on ssl. I have had a look about in the forums and in the Virtualmin docs and this topic seems a little light on documentation.
Cheers in advance for any pointers or input on this.
Which seemed odd because everything was working fine with apache, so I can only conclude that I made a mistake when creating the chained crt file.
Also, I am not sure if this will help anyone, but the chained file I crated seemed to have the dos-style (^M) line endings, so I passed it thourgh the dos2unix command but it did not seem to help (in my case, anyway).
It is not a big deal for me at the moment, I have bigger fish to fry, but I will report back if I find a solution.
Why you go with chain root SSL certificate? Wanna go for Direct ROOT level SSL certificate. There are so many root level SSL providers are available… www.thawte.com
you wanna go with SSL provider’s website? there do offer live chat SSL installation support. I have experienced with Rapidsslonline.com. I got RapidSSL only at $15 and they do live chat support. I hope these guys can help you… Wanna try?
Hey guys, cut out the spamming of SSL providers. Not the place for it.
Chained certificates work fine, and it’s what we use here at Virtualmin.com (from GoDaddy, even). I’ve never used one in ProFTPd, though, as I don’t use FTP, so I don’t have a lot of useful advice on the topic. But it looks like you’re trying to use the wrong private key (or perhaps one that has a passphrase that isn’t being provided) for your certificate. Double check your configuration to be sure you’re providing a certificate, a key, and the CA (chained certificate authority) files.
Hi adamcharnock, sorry about the delay in replying.
First, my /home/$DOMAIN/ssl.chained.cert does NOT have trailing ^M characters
so I would probably start by (backing up and) rebuilding that file.
Also, the error, and your ‘/xxx/xxx/xxx/xxx.key’, look like you may be
pointing to the wrong file. Or maybe it’s just one too many /xxx in your
obfuscated path. My ssl files are in /home/$DOMAIN/, perhaps your’s are
in /home/$DOMAIN/ssl/ ? Hmmm, that’d be a bit cleaner, may do that . . .
Next, this is the appropriate section from my /etc/proftpd/proftpd.conf
it is somewhat changed from my earlier post:
<IfModule mod_tls.c>
TLSEngine on
TLSRequired on
TLSVerifyClient on
TLSProtocol SSLv23
TLSRSACertificateFile /home/$DOMAIN/ssl.chained.cert
TLSRSACertificateKeyFile /home/$DOMAIN/ssl.key
TLSCipherSuite ALL:!ADH:!DES
TLSLog /var/log/proftpd/tls.log
##TLSOptions NoCertRequest
</IfModule>
(Obviously, you must replace $DOMAIN with your actual domain)
Note that the above ONLY allows encrypted connections, to also allow
non-encrypted sessions use ‘TLSRequired off’.
I also had trouble installing a GoDaddy SSL certificate. My problem was that I did not add the CA certificate from GoDaddy in virtualmin. This led to problems in FF but not in IE. I did not find the ca certificate on the pages of godaddy.com, a friend had to mail me the certificate.
Also the process of adding a seperate virtual ip for each ssl-domain is not well documented. I am not sure where in virtualmin a second ip should be entered to run correctly. It would be nice if there was more inline help from virtualmin or a wizard for setting up such things.
Thanks to all who contributed to this, I’ve had the GoDaddy wildcard cert for a while (*.domain) and had just not got around to putting it all together. Thanks to this I got it all done and setup with a minimum of fuss.
One thing to either add to the wiki or for others to note : You’ll also need to add the same details to the usermin section. It’s fairly explanatory and is very similar to the webmin section.
The most common certs are only good for one host, so if you generate your CSR with “ssl.domain.com” you’d want to use that host in the setup for your mail client.
The instructions listed here work flawlessly for adding a cert to a domain - plus the kluges for using a single cert for webmin and virtualmin work as well- however, in addition to setting up the domain itself, webmin, and virtualmin, I recommend adding the same SSL setting for the Usermin setup, too!
I’ve created the following google doc for now, until this gets into the Wiki; if there is a format I can export it as that will help (odt?), let me know.
Comments are enabled to the public, so you can add your own notes and I will revise it for now. I will also be revising over the next day or two while I go through this process myself.
