NetID Login Service - Identifying whether your Shibboleth SP was vulnerable to OpenSSL bug

This document helps application developers and web server administrators identify whether or not the OpenSSL Heartbleed bug applies to their Shibboleth Service Provider.

If the Shibboleth SP was vulnerable, this document provides the initial steps for generating a new Shibboleth keypair to use in place of the potentially compromised one. Once the instructions below are completed and help@login.wisc.edu is contacted, subsequent instructions are provided over email.

This document is not related to vulnerability of the web server itself, but only to Shibboleth-specific vulnerability.

For the full Shibboleth security advisory on the Heartbleed bug, see http://shibboleth.net/community/advisories/secadv_20140409.txt

Linux/Unix Servers

Are you affected?

Shibboleth uses the version of OpenSSL installed on your server unless otherwise specified during Shibboleth installation (which is very rare).  Therefore, if your web server is vulnerable, your Shibboleth installation is vulnerable also.

Steps to take

The steps below enable a key rollover method of replacing the current keypair, in which both the old and the new key will be valid for a time on the login server, allowing you to test on your own schedule and with minimal risk of an outage.

  1. Patch your server to remove the vulnerability (refer to the procedures for your server).
  2. Save copies of your current keypair in case they are overwritten.  The files are /etc/shibboleth/sp-key.pem and /etc/shibboleth/sp-cert.pem.
  3. Generate a new Shibboleth keypair...
    • non-Ubuntu/Debian servers: Generate a new Shibboleth keypair using the shibboleth key generation script and redirect the output to your home directory:
      /etc/shibboleth/keygen.sh -o ~

      This will output a new keypair named sp-key.pem and sp-cert.pem to your home directory.  You can then rename the files new-key.pem and new-cert.pem or whatever you prefer, and copy them to /etc/shibboleth.
    • Ubuntu/Debian Linux servers: Generate a new Shibboleth keypair using the shib-keygen native command.
      This will overwrite your current keypair named sp-key.pem and sp-cert.pem.  You'll then have to rename the files to new-cert.pem and new-key.pem, and copy the old keypair back into /etc/shibboleth so that the old pair is restored.
  4. Make sure that the new key and certificate files in /etc/shibboleth are owned by the Shibboleth user (the same user that owns all other files in /etc/shibboleth).
  5. Follow step one of these instructions for editing your shibboleth2.xml to add the new keypair information to your Shibboleth SP: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCredentials#NativeSPMultipleCredentials-KeyRollover
    After this step the CredentialResolver section of your shibboleth2.xml should have the use="encryption" property in the element for the new keypair, for example:
    <CredentialResolver type="Chaining">
         <CredentialResolver type="File" key="new-key.pem" certificate="new-cert.pem" use="encryption"/>
         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
    </CredentialResolver>
  6. Send both your new certificate (new-cert.pem) and the entityIDs of all Shibboleth SPs related to that certificate to help@login.wisc.edu.  The NetID Login Service will add your new certificate and respond with further instructions.
    Do
    not
    send your private key file (new-key.pem).  It should remain on your application server and not be exposed on the internet.

Windows Servers

Are you affected?

If you have ever run Shibboleth SP version 2.5 or higher on your server, you may have been vulnerable to this OpenSSL bug and need to take action.

If you are running Shibboleth SP 2.4.3, you are not vulnerable and do not need to take action.  If you are running a Shibboleth SP with a pre-2.4.3 version, you are open to other security vulnerabilities and should contact help@login.wisc.edu for assistance with upgrading.

Steps to take

The steps below enable a key rollover method of replacing the current keypair, in which both the old and the new key will be valid for a time on the login server, allowing you to test on your own schedule and with minimal risk of an outage.

  1. Upgrade your Shibboleth SP to 2.5.3, which corrects the vulnerability.  Shibboleth upgrades since version 2.5 can be done by simply downloading and running the installer for the current version.  No other steps are needed (though backing up configuration files in C:\opt\shibboleth-sp\etc\shibboleth is always recommended as a precaution).  Here are the installers:
    -For a 64-bit server:  http://shibboleth.net/downloads/service-provider/2.5.3/win64/
    -For a 32-bit server:  http://shibboleth.net/downloads/service-provider/2.5.3/win32/
  2. Save copies of your current keypair since they will be temporarily overwritten.  The files are C:\opt\shibboleth-sp\etc\shibboleth\sp-key.pem and C:\opt\shibboleth-sp\etc\shibboleth\sp-cert.pem.
  3. Generate a new Shibboleth keypair by double-clicking the following batch file:
    C:\opt\shibboleth-sp\etc\shibboleth\keygen.bat
    This will overwrite your current keypair named sp-key.pem and sp-cert.pem.  You'll then have to rename the files to new-cert.pem and new-key.pem, and copy the old keypair back into C:\opt\shibboleth-sp\etc\shibboleth so that the old pair is restored.
  4. Follow step one of these instructions for editing your shibboleth2.xml to add the new keypair information to your Shibboleth SP: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCredentials#NativeSPMultipleCredentials-KeyRollover
    After this step the CredentialResolver section of your shibboleth2.xml should have the use="encryption" property in the element for the new keypair, for example:
    <CredentialResolver type="Chaining">
         <CredentialResolver type="File" key="new-key.pem" certificate="new-cert.pem" use="encryption"/>
         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
    </CredentialResolver>
  5. Send both your new certificate (new-cert.pem) and the entityIDs of all Shibboleth SPs related to that certificate to help@login.wisc.edu.  The NetID Login Service will add your new certificate and respond with further instructions.
    Do
    not
    send your private key file (new-key.pem).  It should remain on your application server and not be exposed on the internet.