[lfs-support] OpenSSL Heartbleed-bug
Hey all, unfortunatly you can't find much heartbleed bug info on the net for administrators. So I will try my luck here. I have some https websites and a openvpn server. My questions are: 1.) Is it enough for me to recompile only OpenSSL or do I have to recompile OpenSSH, apache, OpenVPN? 2.) Do I have to recreate the selfsigned certs for WWW even if I don't use any passwords for the private key? (After I update OpenSSL) 3.) Do I have to recreate the keys used for the users of OpenVPN? (After I update OpenSSL) Thanks in advance, L -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
Re: [lfs-support] OpenSSL Heartbleed-bug
Em 15-04-2014 14:06, loki escreveu: Hey all, unfortunatly you can't find much heartbleed bug info on the net for administrators. So I will try my luck here. I have some https websites and a openvpn server. My questions are: 1.) Is it enough for me to recompile only OpenSSL or do I have to recompile OpenSSH, apache, OpenVPN? 2.) Do I have to recreate the selfsigned certs for WWW even if I don't use any passwords for the private key? (After I update OpenSSL) 3.) Do I have to recreate the keys used for the users of OpenVPN? (After I update OpenSSL) Thanks in advance, L Not sure, but one site seemed good for me: http://heartbleed.com/ IIRC, they discuss that you need to recreate. -- []s, Fernando -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
Re: [lfs-support] OpenSSL Heartbleed-bug
On Tue, 15 Apr 2014 19:06:14 +0200 loki l...@pancevo.rs wrote: 1.) Is it enough for me to recompile only OpenSSL or do I have to recompile OpenSSH, apache, OpenVPN? I have not yet looked at the patch that fixes CVE-2014-0160, but I imagine that you do not need to recompile anything that dynamically linkes to OpenSSL. Anything that links statically should be recompiled. How to tell? Well, you compiled it, you ought to know what went into it. :) In principle, you can run ldd on the executable in question and see if /whatever/libssl.so.* comes up in the list. If so, OpenSSL is linked in dynamically. 2.) Do I have to recreate the selfsigned certs for WWW even if I don't use any passwords for the private key? (After I update OpenSSL) Not if (1) it has not been compromised and (2) you don't care about it being compromised. In practice, you almost certainly care about it being compromised and, due to the fact the private key was in the same address space that is exposed by CVE-2014-0160, your private key was almost certainly leaked to anyone who bothered to look. 3.) Do I have to recreate the keys used for the users of OpenVPN? (After I update OpenSSL) If they were not loaded into the servers address space (and they probably weren't), no. Note that all the above answers apply anytime an attacker has read access to the servers address space. There is nothing special about the so-called heartbleed bug that makes it different than so many other information leak bugs. -- Svi moji e-mailovi su kriptografski potpisani. Proverite ih. All of my e-mails are cryptographically signed. Verify them. -- You don't need an AI for a robot uprising. Humans will do just fine. signature.asc Description: PGP signature -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
Re: [lfs-support] OpenSSL Heartbleed-bug
CORRECTION!! On Tue, 15 Apr 2014 20:06:03 +0200 Aleksandar Kuktin akuk...@gmail.com wrote: On Tue, 15 Apr 2014 19:06:14 +0200 loki l...@pancevo.rs wrote: 3.) Do I have to recreate the keys used for the users of OpenVPN? (After I update OpenSSL) If they were not loaded into the servers address space (and they probably weren't), no. CVE-2014-0160 also affects clients. Therefore, you also have to regenerate and redistribute user keys. -- Svi moji e-mailovi su kriptografski potpisani. Proverite ih. All of my e-mails are cryptographically signed. Verify them. -- You don't need an AI for a robot uprising. Humans will do just fine. signature.asc Description: PGP signature -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
