How to Ensure That Ruby Uses an Openssl Not Vulnerable to Heartbleed

How does Heartbleed affect Ruby on Rails?

As far as I understand it, no. Rails itself doesn't depend on openssl. Instead it is based on the machine that the rails app is on. Windows and Mac OSX are probably unaffected as they don't by default have openssl. Many forms of linux do however use the libssl and openssl software. What does this mean exactly?

If you're worried about your own personal computer you're unlikely to be vulnerable if you use windows or mac and chrome. (I'm not sure about firefox or IE).

If you're worried about your app that is on a server somewhere then you need to make sure that the server doesn't use openssl yourself by checking the system libraries. (or check that the version is new/you recompile openssl using the -DOPENSSL_NO_HEARTBEATS flag.)

If you can't check the system (e.g. use remote hosting) you can check the ssl certificate of the website and make sure it was issued past 7 April 2014.

If you really don't know about someone else's website and want to check you can use this vulnerability checking tool

Also as good measure, if you re-use passwords on any sites or think you've been using a password for a while that you may have once put into an insecure site, you should change out your passwords to a new set of them. Updating passwords regularly is good practice anyway.

OpenSSL version for Heartbleed

To check the version you should just be able to run the following command from the command line:

openssl version -v

This should output something like:

OpenSSL 1.0.1e-fips 11 Feb 2013

Information on what versions of the OpenSSL are affected:

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

More information on the heartbleed vulnerability can be found at http://heartbleed.com/

You only need to update if your CentOS host is a server running openssl. If you are worried about being a client connecting, the version of openssl is irrelevant as the vulnerability exploit depends on the server side version, not client side. A good blog post on how the heartbleed vulnerability works can be found here.

To manually update openssl you can run the command:

yum update openssl

You will need to be root/have root privileges to run the update. See more information on managing packages for CentOS here

Does the heartbleed bug necessitate new SSH private keys?

No, as far as I know you don't need to regenerate new key pairs (would be sensible anyway though). Heartbleed was a bug in the Heartbeat extension of OpenSSL for the keep-alive of a SSL/TLS connection.

Please see this article too: http://www.ssh.com/blog/12-ssh-communications-security-comments-on-heartbleed-vulnerability

Is the Ubuntu trusty public repo hosting a heartbleed vulnerable openssl version?

No, the Ubuntu package has a fix backported to 1.0.1.f. http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1f-1ubuntu2.21/changelog mentions a fix for Heartbeat vulnerability under version 1.0.1f-1ubuntu2 dated 7 Apr 2014.

SSL/TLS HeartBleed vulnerability

Java does not use OpenSSL, although some Java applications like Tomcat can. As you're using keystores and truststores, you must be using JSSE rather than OpenSSL.