Re: [OT] HeartBleed bug
Chris, On 9.4.2014 14:53, Christopher Schultz wrote: My recommendation would be to treat everything OpenSSL touches as tainted and re-key anyway. [I will assume we are talking about OpenSSH implementation.] That dependins of the definition of "what OpenSSL touches". OpenSSL consists of two libraries: libcrypto and libtls. OpenSSH implementation depends on OpenSSL package, but only to utilize primitive crypro functions from libcrypto library. Libtls library contains implementation of TLS protocol, including Heartbeat functionality, but OpenSSH does not utilize that library, AFAIK. Therefore, I stand by my earlier position -- no need to rekey SSH keys. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] HeartBleed bug
On Wed, Apr 9, 2014 at 2:53 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Ognjen, > > On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote: >> On 9.4.2014 9:49, André Warnier wrote: >>> I wonder if I may ask this list-OT question to the SSH experts on >>> the list : >>> >>> I run some 25 webservers (Apache httpd-only, Tomcat-only, or >>> Apache httpd + Tomcat). I do not use HTTPS on any of them. But I >>> use SSH (OpenSSH) to connect to them over the Internet for >>> support purposes, with "authorized_keys" on the servers. Are my >>> servers affected by this bug ? Or is this (mainly) an >>> HTTPS-related affair ? >>> >>> I mean : I will update OpenSSH on all my servers anyway. But do >>> I have to consider that, with a non-negligible probability, the >>> keys stored on my servers are already compromised ? >> >> This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using >> OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary >> version is in mentioned range) is vulnerable > > Not necessarily. SSH, for instance, does not utilize the "heartbeat" > feature of SSL and so is theoretically safe. I suppose you could have > used the same server key for both SSH and HTTPS, but that would have > been pretty silly. Isn't that exactly what Ognjen said? This quote of him was not included in your email: >> SSH protocol does not use TSL/SSL, so it is not vulnerable to Heartbleed bug. > My recommendation would be to treat everything OpenSSL touches as > tainted and re-key anyway. That may be a costly recommendation because one might buy more new and revoke more old certificates than necessary. Cheers robert -- [guy, jim].each {|him| remember.him do |as, often| as.you_can - without end} http://blog.rubybestpractices.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] HeartBleed bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote: > On 9.4.2014 9:49, André Warnier wrote: >> I wonder if I may ask this list-OT question to the SSH experts on >> the list : >> >> I run some 25 webservers (Apache httpd-only, Tomcat-only, or >> Apache httpd + Tomcat). I do not use HTTPS on any of them. But I >> use SSH (OpenSSH) to connect to them over the Internet for >> support purposes, with "authorized_keys" on the servers. Are my >> servers affected by this bug ? Or is this (mainly) an >> HTTPS-related affair ? >> >> I mean : I will update OpenSSH on all my servers anyway. But do >> I have to consider that, with a non-negligible probability, the >> keys stored on my servers are already compromised ? > > This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using > OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary > version is in mentioned range) is vulnerable Not necessarily. SSH, for instance, does not utilize the "heartbeat" feature of SSL and so is theoretically safe. I suppose you could have used the same server key for both SSH and HTTPS, but that would have been pretty silly. My recommendation would be to treat everything OpenSSL touches as tainted and re-key anyway. Here are some guides for re-keying your openssh servers: Debian: https://wiki.debian.org/SSLkeys#OpenSSH_.28Server.29 Generic: http://www.softec.lu/site/DevelopersCorner/HowToRegenerateNewSsh - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRULAAAoJEBzwKT+lPKRYwwYP/0HrBqKK14wZ9lbLLP8mPzS7 VW3DFmuUbEYtLaRsSiCoAm2Db4ip8GuDLF7QuHRcaPIjejf56vjtOHxzDuPTHs88 d9Wdl045XABbp9esp/yt0PERc3IpFp0aF5HIZ9PUYhq+wEedz29nuQDMgBq2tnhW EhtTe5IbtvB/e0JCVHfmfrNZ28u3AqD9ymM8F2R3DlvkfEIK+H+iG+jXoYGGoalq scuYEDcPKQfW1raA6S+Y3+88NGnOfZ9HY8nQexRXN02rU+MzxMUesArdsH6WLrVE BD7/chXld2Wrtfk2pGpqx326NG2Or8knhsnYDx1N+uH1wi8Z+QTdUuhUUN6+yazh vYazcYnHxFYMj8TGrEPETa+FbNuok/z1C78ZqfehOfAZ1hxoATq9d8T7vE6C2rCQ ONc8962Umu1jtNKrtWZUly1G4Bb4SJvRxxTfZif4A6mxipxSUJXBo6DIBdn1ETJB nogCE+YxXXb9DtmjQRGhuu4vuyA/DoNlEPmkjDjGDiBPcloxGIdsinz9zx1Rk7S0 9Z82sNpsZDztFe/Z1/VZ8jrnhaKHO03saR33XdWthBHna0nOiJ1TBhGFeuPE82kK Esz79QArjv9237Xf/MMatO1jXA85cqqzILy43hD/jo4dxT+8c0aE/X7nq5ekfUEF 9CfbNtwi/7eQPrjsnZg6 =rb8D -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] HeartBleed bug
Ognjen Blagojevic wrote: André, On 9.4.2014 9:49, André Warnier wrote: I wonder if I may ask this list-OT question to the SSH experts on the list : I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache httpd + Tomcat). I do not use HTTPS on any of them. But I use SSH (OpenSSH) to connect to them over the Internet for support purposes, with "authorized_keys" on the servers. Are my servers affected by this bug ? Or is this (mainly) an HTTPS-related affair ? I mean : I will update OpenSSH on all my servers anyway. But do I have to consider that, with a non-negligible probability, the keys stored on my servers are already compromised ? This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary version is in mentioned range) is vulnerable, like: STARTTLS extension for protocols like SMTP, POP, IMAP, XMPP, FTP, LDAP, NNTP, and also other protocols which uss TLS/SSL like SSL VPN, and HTTPS. SSH protocol does not use TSL/SSL, so it is not vulnerable to Heartbleed bug. -Ognjen Thanks for clarifying for this SSH/SSL near-dummy. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] HeartBleed bug
André, On 9.4.2014 9:49, André Warnier wrote: I wonder if I may ask this list-OT question to the SSH experts on the list : I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache httpd + Tomcat). I do not use HTTPS on any of them. But I use SSH (OpenSSH) to connect to them over the Internet for support purposes, with "authorized_keys" on the servers. Are my servers affected by this bug ? Or is this (mainly) an HTTPS-related affair ? I mean : I will update OpenSSH on all my servers anyway. But do I have to consider that, with a non-negligible probability, the keys stored on my servers are already compromised ? This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary version is in mentioned range) is vulnerable, like: STARTTLS extension for protocols like SMTP, POP, IMAP, XMPP, FTP, LDAP, NNTP, and also other protocols which uss TLS/SSL like SSL VPN, and HTTPS. SSH protocol does not use TSL/SSL, so it is not vulnerable to Heartbleed bug. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org