With the recent exposure due to the heartbleed bug many have been panicking or so lazy they’ve ignored it completely. I suggest you land somewhere in between. Change your passwords and consider using a password manager so you can have random passwords for each site – personally I’ve gone with LastPass. But what about your FreeBSD servers?

When you check your OpenSSL version on FreeBSD you get a non-affected version, pheeew – lucky right?

$ openssl version
OpenSSL 0.9.8y 5 Feb 2013

Well not exactly – the OS version of OpenSSL is too old to be affected by the heartbleed heartbeat bug (explained here by xkcd). You need to tell ports to use the updated OpenSSL version in the ports so let’s do that and install it – afterwards you need to rebuild any port and/or dependencies that uses OpenSSL.

First we make sure your ports tree and OS is up to date

sudo freebsd-update fetch install
sudo portsnap fetch update

Then we edit make.conf

sudo sh -c 'echo "WITH_OPENSSL_PORT=yes" >> /etc/make.conf'

Now we install OpenSSL

sudo portmaster security/openssl
sudo ln -s /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf

OpenSSL will now be installed into /usr/local/bin/openssl but the default OS version is still first in your path, this is okay as the option we set in make.conf will make sure that ports use the updated version. Here is the way to check you have both and their versions

$ sudo /etc/periodic/weekly/310.locate
$ locate openssl|grep /bin/openssl$
/usr/bin/openssl
/usr/local/bin/openssl

$ /usr/local/bin/openssl version
OpenSSL 1.0.1g 7 Apr 2014

$ /usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013

Personally I chose to just rebuild all my ports – you don’t have to but I also updated FreeBSD version while I was doing this so it was easier.

sudo portmaster -af