With the recent exposure due to the heartbleed bug many have been panicking or so lazy they’ve ignored it completely. I suggest you land somewhere in between. Change your passwords and consider using a password manager so you can have random passwords for each site – personally I’ve gone with LastPass. But what about your FreeBSD servers?
When you check your OpenSSL version on FreeBSD you get a non-affected version, pheeew – lucky right?
$ openssl version OpenSSL 0.9.8y 5 Feb 2013
Well not exactly – the OS version of OpenSSL is too old to be affected by the heartbleed heartbeat bug (explained here by xkcd). You need to tell ports to use the updated OpenSSL version in the ports so let’s do that and install it – afterwards you need to rebuild any port and/or dependencies that uses OpenSSL.
First we make sure your ports tree and OS is up to date
sudo freebsd-update fetch install sudo portsnap fetch update
Then we edit make.conf
sudo sh -c 'echo "WITH_OPENSSL_PORT=yes" >> /etc/make.conf'
Now we install OpenSSL
sudo portmaster security/openssl sudo ln -s /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf
OpenSSL will now be installed into /usr/local/bin/openssl but the default OS version is still first in your path, this is okay as the option we set in make.conf will make sure that ports use the updated version. Here is the way to check you have both and their versions
$ sudo /etc/periodic/weekly/310.locate $ locate openssl|grep /bin/openssl$ /usr/bin/openssl /usr/local/bin/openssl
$ /usr/local/bin/openssl version OpenSSL 1.0.1g 7 Apr 2014 $ /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013
Personally I chose to just rebuild all my ports – you don’t have to but I also updated FreeBSD version while I was doing this so it was easier.
sudo portmaster -af