In article <1483a20e-66b7-4ecc-8c14-34de4b24b...@gmail.com>,
Markus Falb wrote:
>
> > No vulnerability on the
> > server can expose a private client certificate, only a vulnerability on
> > the client can.
>
> With malicious server I did not meant one that was affected
> by heartbleed but a serv
On 09.Apr.2014, at 22:12, Peter wrote:
> On 04/10/2014 03:09 AM, Markus Falb wrote:
>>
>> I am assuming that client certificates are handed out to staff. Basically
>> you can't
>> really control where people install client certificates and which client
>> software is used.
>> If one is tricke
On Thu, Apr 10, 2014 at 03:10:31PM +0200, David Hrbá?? wrote:
> are going to regenerate the user passwords and ssh keys. What more we
SSH keys were not compromised by heartbleed (unless you had a management
tool that was vulnerable or an alternative ssh daemon that used libssl).
Nothing in the sta
Dne 10.4.2014 14:47, Johnny Hughes napsal(a):
> Those are the two possible things that could have happened.
> =
> In the case of CentOS servers, the time period where that could have
> occurred is from December 1, 2013 (when openssl-1.0.1e-15.el6 was
> released in Ce
On 04/10/2014 05:17 AM, David Hrbáč wrote:
> Dne 9.4.2014 17:27, Johnny Hughes napsal(a):
>> It is only things that actually used SSL in memory (like httpd, imaps,
>> pop3s, etc) . those certificates COULD have been impacted. openssh was
>> not impacted (based on my reading).
> What about the user
Dne 9.4.2014 17:27, Johnny Hughes napsal(a):
> It is only things that actually used SSL in memory (like httpd, imaps,
> pop3s, etc) . those certificates COULD have been impacted. openssh was
> not impacted (based on my reading).
What about the user credentials sent over this "insecure" communicati
On 04/10/2014 03:09 AM, Markus Falb wrote:
>
> I am assuming that client certificates are handed out to staff. Basically you
> can't
> really control where people install client certificates and which client
> software is used.
> If one is tricked to do a SSL Handshake with a malicious server, t
On 04/09/2014 09:27 AM, Johnny Hughes wrote:
> On 04/09/2014 09:09 AM, Markus Falb wrote:
>> On 09.Apr.2014, at 15:54, Johnny Hughes wrote:
>>
>>> On 04/07/2014 08:30 PM, Always Learning wrote:
Thank you.
What will the temporary packages be called ?
>>> Since this is the f
On Wed, 9 Apr 2014, Johnny Hughes wrote:
1. Besides doing the updates, you should replace any certificates
using SSL or TLS that are openssl based. This includes VPN,
HTTPD, etc. See http://heartbleed.com/ for more info on impacted
keys.
The OpenVPN folks note that if your configur
On 04/09/2014 09:09 AM, Markus Falb wrote:
> On 09.Apr.2014, at 15:54, Johnny Hughes wrote:
>
>> On 04/07/2014 08:30 PM, Always Learning wrote:
>>> Thank you.
>>>
>>> What will the temporary packages be called ?
>>>
>>>
>>
>> Since this is the first post about the openssl update, I want to answer
On 09.Apr.2014, at 15:54, Johnny Hughes wrote:
> On 04/07/2014 08:30 PM, Always Learning wrote:
>> Thank you.
>>
>> What will the temporary packages be called ?
>>
>>
>
>
> Since this is the first post about the openssl update, I want to answer
> a couple questions here:
>
> 1. The first
On 04/07/2014 08:30 PM, Always Learning wrote:
> Thank you.
>
> What will the temporary packages be called ?
>
>
Since this is the first post about the openssl update, I want to answer
a couple questions here:
1. The first susceptible version of openssl in a CentOS release was
openssl-1.0.1e-15
On Tue, 2014-04-08 at 03:30 +0100, Always Learning wrote:
> Thank you.
>
> What will the temporary packages be called ?#
I've answered my own question: openssl*
--
Paul.
England,
EU.
Our systems are exclusively Centos. No Micro$oft Windoze here.
___
Thank you.
What will the temporary packages be called ?
--
Paul.
England,
EU.
Our systems are exclusively Centos. No Micro$oft Windoze here.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
14 matches
Mail list logo