HeartBleed security exploit: Am I affected?

[riahc3]

Im looking at my servers and I have a OpenVPN server and several clients. From what I see, the server is running

OpenSSL 1.0.1 14 Mar 2012,
built on: Fri May 2 20:23:06 2014.

I generated certificates off this server. One of my Windows clients was outdated and I updated the .sys to the new version.

I want to make sure that my server isn't outdated and I shouldn't update the server and, worst, generate new certificates for the server and the clients.

How do I check what version of OpenSSL was used to generate the certificates? My server autoupdates so the version it is currently using is very up to date.

 

[seepy83]

There is an OpenVPN wiki article that should tell you everything you need to know:
https://community.openvpn.net/openvpn/wiki/heartbleed

Based on the build and date that you provided in your post, I would say that yes your current installation is vulnerable to Heartbleed. You need to get to OpenSSL 1.0.1g released in Apr 2014.

 

[smakme7757]

The build number might be vulnerable, but if the build date is after April 2014 then it's not affected.

 

[riahc3]

The problem is that I don't know what version of OpenSSL I used to generate certificates.

 

[KillerBee]

The certificates themselves aren't vulnerable no matter what version of SSL was used to create them. It's a matter of whether or not your server was ever running a vulnerable version of openSSl

If you have been regularly updating the openssl software running on a server
you have to assume at one time it was running OpenSSL versions 1.0.1 through 1.0.1f
or beta 1.02

So you also assume someone compromised it to obtain passwords or some other encrypted data - maybe the keys themselves - at some point. This is why you need to change passwords and also revoke the old keys and create new ones.