Credits to

Upgrading OpenSSL on Ubuntu 10.04LTS

In my post “Best nginx configuration for security” I told you that you need to upgrade to openssl 1.0.1g at least. But, a lot of Linux distros doesn’t support OpenSSL newer then 0.9.8(including Ubuntu 10.04 LTS, which I was using) out of the box. So, what’s the solution? One way is to compile from source, which can be tricky. Another is by doing a dist-upgrade. The later was my choice.

  1. First, you need to install update-manager-core if it is not already installed:
    apt-get install update-manager-core
  2. If and only if upgrading from an LTS release, then edit /etc/update-manager/release-upgrades and set Prompt=lts
  3. Launch the upgrade tool and follow on-screen instructions. The command is:

After quite some time and a lot of confirmations, you will need to reboot and when it reboots it will be Ubuntu 12 LTS, which is awesome.



CVE-2014-0160 Heartbleed

Today, CVE-2014-0160 was (not responsibly, in my opinion) disclosed. It’s more known as Heartbleed. It’s basically a huge bug in openssl that allow:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

To update, you can use:

sudo apt-get update && sudo apt-get install --only-upgrade openssl

After aplying the update, restart your server(easier then restart every service that uses openssl). You can check using:

openssl version -a

It should display “built on: Mon Apr 7” (Ubuntu has a bug that removes some version information from openssl cli). You can also use this site to check if you’re vulnerable to heartbleed:

After applying the fix, you should reissue your SSL certificates, since them could be already compromised. For more information on how to configure nginx for proper security, check out our post “Best nginx configuration for security”.


Best nginx configuration for security

TL;DR: use this config and be sure that you’re using OpenSSL >= v1.0.1g and nginx >= 1.3.7 (but I recommend >= 1.4.2).

I’ve spent a lot of time to make this config work because there are a few gotchas that can save some of your time(and grey hair). It’s the configuration that we’re using in our project, Forgott.

Today SSL state isn’t exactly awesome: we have BEAST, BREACH, CRIME, Lucky 13 and the worse of all, Heartbleed. We also want to address things like Forward Secrecy and Secure Renegotiation.

Before I show you our config, I need to explain a few things(basically, the gotchas): nginx alone doesn’t provide ssl support. It uses OpenSSL behind the scenes to allow ssl to work. But, since we want to enable TLS v1.1 and TLS v1.2, we need to have OpenSSL v1.0.1g(at least, since this is the version that fixes Heartbleed). If you’re running an older version of Ubuntu, you probably want to upgrade, since older versions don’t support newer versions of OpenSSL(you can check how to upgrade older versions of Ubuntu here).

If you just need to upgrade OpenSSL, you can do it by running:

sudo apt-get update && sudo apt-get install --only-upgrade openssl

You can check your OpenSSL version by running:

root@localhost:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:31:55 UTC 2014

Ubuntu’s openssl doesn’t display full version info, so you need to check the date of the release(really). 

Here comes the second gotcha(the one that took me the most time): after updating OpenSSL to v1.0.1g, even trying to activate TLS v1.1 and v1.2 weren’t working, and worst of that, even if I enable a lot of cypher suites, only a very small set of them was appearing in SSL Labs’s SSL Server test.

So, you will (probably) need to re-install nginx, even if you were using the last version. I recommend you to use the official repository, which you can do by adding these two lines to the end of the file /etc/apt/sources.list and saving(I’m using precise because I’m in Ubuntu 12 LTS):

deb precise nginx
deb-src precise nginx

Then run:

apt-get install nginx

After that, finally we’re able to configure nginx. Here’s the config I’m using (don’t forget to reload/restart nginx after a config change):

Here’s our current score at SSLabs test:


Credits to

Upgrading PostgreSQL 9.2 to 9.3

I already use PostgreSQL for a few years, but every now and them, when I need to upgrade my local installation, I run into trouble. This is the step by step that I’ve used to upgrade my (homebrew) installation.

launchctl unload ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist
brew update
brew upgrade postgresql
initdb /usr/local/var/postgres93 -E utf8
pg_upgrade -d /usr/local/var/postgres -D /usr/local/var/postgres93 -b /usr/local/Cellar/postgresql/9.2.4/bin/ -B /usr/local/Cellar/postgresql/9.3.0/bin/
cd /usr/local/var
mv postgres postgres_old
mv postgres93 postgres
launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist

Now we’re almost done. You can test if everything went well by running:

psql postgres -c "select version()"

Here you should see something like:

PostgreSQL 9.3.0 on x86_64-apple-darwin12.5.0, compiled by Apple LLVM version 4.2 (clang-425.0.28) (based on LLVM 3.2svn), 64-bit
(1 row)

To remove PostgreSQL 9.2 and the old data, you can run:

brew cleanup postgresql
rm -rf /usr/local/var/postgres_old

If you use ruby pg gem, you should re-compile it by running:

gem uninstall pg -a
ARCHFLAGS="-arch x86_64" gem install pg

That’s it.

In other news, they also released pgAdmin v1.18.0.