The heartbleed vulnerability

What is heartbleed ?

Heartbleed is the name given to a critical vulnerability in the OpenSSL library. The official designation of this bug is CVE-2014-0160. Theoretically this vulnerability could be use by an attacker to gain access to data transmitted between clients and server, by random chunk of 64ko. Retrieved content could be pretty much anything: session content, password, even the server private key.

How did this happen ?

The vulnerability is due to a missing validation on a variable size. The bug was introduced into OpenSSL 1.0.1 and fixed into version 1.0.1g.

How does it work ?

The following XKCD comic does a pretty good job at explaining the issue in simple terms.

To test if your server is vulnerable

Use this:

What to do ?

First don’t panic and make security updates. Check you have an OpenSSL version 1.0.1g or higher. Because of the buzz around the vulnerability most SSL providers offer free certificate regeneration. Jump on the offer, regenerate your server private key and CSR.

Further Reading and sources

TCP/IP tuning for scalability

Increase max files limits

Sockets *are* files, so in order to improve TCP scalability the first step is to verify you have enough file descriptors available. You can check the current values with the ulimit -a command. If needed increase them.

Increase port range

By default ports between 32768 and 61000 are kept for ‘ephemeral’ usage. That plenty for clients, but could be too tight for busy web servers.

You can increase the port range like this:

# sysctl -w net.ipv4.ip_local_port_range="12800 65535"

Don’t forget to add your setting inside the /etc/sysctl.conf file.

Enable TCP reuse

The TCP_TW_REUSE flag allow the kernel to reuse TCP connection in TIME_WAIT state for a new outgoing connection if the new timestamp is strictly bigger than the most recent timestamp recorded for the previous connection.

This optimization is pretty great for web server that deal with many short TCP connections. You can enable it like this:

# sysctl -w net.ipv4.tcp_tw_reuse=1

Don’t forget to add your setting inside the /etc/sysctl.conf file.

There is also another parameter, called net.ipv4.tcp_tw_recycle. Do NOT enable it !

Fast-recycling of every TIME-WAIT sockets sound like a good idea but this option will cause problems with NAT clients. For more information on the subject, check this excellent article.