Re: Addressing Heartbleed security issue with MIVA

BTW, here's a tutorial on how to get customers to force a PW change:

https://support.mivamerchant.com/sup...count-password

Re: Addressing Heartbleed security issue with MIVA

skepticwebguy,

If upgrading from OpenSSL v0.9; you will need to modify the mivavm.conf to point to the OpenSSL v1 cert files.


Example entry for the mivavm.conf:
If currently set to:
cadir=/path/to/mivavm-v5.19/certs/openssl-0.9


change to:
cadir=/path/to/mivavm-v5.19/certs/openssl-1.0




You will also want to confirm the path to the new OpenSSL files (also configured within the mivavm.conf) are correct as well.


Example:
openssl=/path/to/libssl.so
openssl_crypto=/path/to/libcrypto.so


Contact Miva Support if you run into any other questions or issues.


Thank you,

Re: Addressing Heartbleed security issue with MIVA

I'm not on one of the compromised versions, and not hosted with Miva. Will the upgrade affect anything in my mivavm.conf file? I assume that the certs for Empresa 5.19 will need to be updated?

Re: Addressing Heartbleed security issue with MIVA

Yes, we recommend upgrading to the latest OpenSSL. If you're on one of the compromised versions it's more than a recommendation.

If you're hosted with us, we've already upgraded it for you.

Re: Addressing Heartbleed security issue with MIVA

Does Miva recommend upgrading our servers to OPENSSL 1.0.1? I'm running Miva Merchant Engine 5.19, with Miva Merchant 5.5.

Re: Addressing Heartbleed security issue with MIVA

Sorry, meant vulnerable!

Re: Addressing Heartbleed security issue with MIVA

This wasn't an infection type scenario. Our servers were vulnerable for a small window and we patched them within minutes of the patch being released the other night.

We're working on both a tool to assist in this process (customer account password resets) and a blog post on recommended actions.

Re: Addressing Heartbleed security issue with MIVA

Now that the cat is out of the bag (heart bleed) and ecommerce customers know about it, shouldn't store owners assure them that their site isn't effected and at the same time ask to change the password - just to be sure? Without doing this sales could drop significantly.

BTW I hope Miva's (Hostasaurus') server are not infected ;-)

Re: Addressing Heartbleed security issue with MIVA

Personally, I wouldn't "force" users. I'd strongly encourage them. All that is needed for that is messaging on the Login screen.

Re: Addressing Heartbleed security issue with MIVA

We have the customer account reset on the Admin side (of course). I don't think it's ever come up on the Shoppers Side before. I'll ask Dev tomorrow about that process.