On 08 Apr 2014, at 10:54, John Breen <jbr...@isc.upenn.edu> wrote: > As folks are working on mitigating the heartbleed bug, I wanted to > inquire about the exposure on the service provider side of things. Once > the cosignd side of things are mitigated as necessary what does the > service provider side of the problem look like? > > I expect the cosign service private key could potentially be exposed on > affected systems. Is that accurate? If that is the case, I expect > re-issuing the service certificates (after updating openssl) is the > correct action.
Both the client and server in the SSL protected session are vulnerable to heartbleed, however, for the client side, the leak is only to the (possibly compromised) server. Many people use their HTTP certificates as client certificates for mod_cosign, tho. Those would be easily obtainable from the HTTP server running at the service provider. :wes ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
