Protecting My Site Against the SSL Vulnerability in Debian GNU/Linux
A recently exposed security flaw in the version of OpenSSL distributed with Debian GNU/Linux, released between September 17, 2006 and May 12, 2008, may require you to take immediate action to protect your site and customers against vulnerability. Affected operating systems include Ubuntu, Kubuntu, Knoppix, Grml, and Xandros.
If you are running one of these Debian versions or derivatives, and have SSL Certificates issued through us, you need to patch your server and then utilize the free re-key credit available for your SSL Certificates.
To Protect your Site from the SSL Vulnerability in Debian GNU/Linux
- Upgrade your Debian Operating System to a patched version.
NOTE: Your server must be patched before utilizing the re-key credit. Otherwise, the new key pairs and certificate may still be vulnerable and will be rejected.
- Use the free re-key credit available from within your Secure Management account.
- Follow the instructions in Re-key an SSL Certificate.
Re-keying your SSL Certificate creates a new key pair that we use to reissue the certificate and alleviate the vulnerability.
The issue, caused by a flaw in the Debian-specific random number generation, results in relatively predictable key pair values that are highly exploitable and easily subjected to a brute-force attack. Key pairs are used to request an SSL certificate, therefore the affected key pairs and the corresponding certificate are vulnerable.
For more information on this Debian-specific vulnerability and to find a listing of the specific versions of the operating systems affected, refer to the announcements posted by Debian and Ubuntu.