If you have Elastic Load Balancers currently using an SSL certificate that was generated via OpenSSL version 1.1.0a-f, you need to follow these streps to revoke the current certificate on your load balancer and upload a new one.
First, update OpenSSL on the machine you are going to use to generate your private key and sign your certificate. I have written another post on how to do that here: http://blog.matthewdfuller.com/2014/04/how-to-fix-openssl-heart-bleed-bug-on.html
Once you have regenerated your keys and resigned your certificate, you can upload them to your load balancers.
Within the AWS console, click "EC2" in the Services menu.
Now, click on "Load Balancers" on the left-hand side and select your load balancer instance.
Hit save and your load balancer will push the changes.
If you want to do this via the command line or API, check out the official AWS documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html
How will this help if Amazon has not yet patched the ELB?
ReplyDeleteIt doesn't. Check here for current progress: http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/
DeleteAmazon has patched their ELBs according to their press release prior to this page being posted. They are finished all zones except US-EAST1.
DeleteAs of this morning (no time stamp) ALL ELBs have been patched.
ReplyDeleteDon't forget to update your EC2 instances if you have any.
This comment has been removed by the author.
Delete