In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.
If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: http://heartbleed.com for more details.
By default, our database deployment script enables SSL encryption for the Apache web server on the Controller host with a generated private SSL key and a self-signed certificate. SSL encryption is used between the UI and the Controller REST API if you have clusters added with HTTPS, which we do by default. The content that is encrypted (and which an attacker could potentially get access to via this bug) is primarily monitoring and ClusterControl application data.
Test your server for Heartbleed: https://www.ssllabs.com/ssltest
You should generate a new private key and certificate if you are concerned that your Controller server has been compromised and of course immediately upgrade the OpenSSL package for your distribution.
First create a self-signed certificate by following the instructions in this post:
Then, install the new private key and certificate by updating your Apache web server configuration and restart the web server.
Centos/RHEL distributions: Edit the /etc/httpd/conf.d/ssl.conf file
… SSLCertificateFile /etc/pki/tls/certs/<your new cert>.crt SSLCertificateKeyFile /etc/pki/tls/private/<your new key>.key …
Debian/Ubuntu distributions: Edit the /etc/apache2/sites-enabled/000-default-ssl file
… SSLCertificateFile /etc/ssl/certs/<you new cert>.crt SSLCertificateKeyFile /etc/ssl/private/<your new key>.key …
If you’re not clear on some of these details or need additional help, please contact us here with a description of the type of help you need: http://www.severalnines.com