André,
On 9.4.2014 9:49, André Warnier wrote:
I wonder if I may ask this list-OT question to the SSH experts on the
list :
I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache
httpd + Tomcat).
I do not use HTTPS on any of them.
But I use SSH (OpenSSH) to connect to them over the Internet for support
purposes, with "authorized_keys" on the servers.
Are my servers affected by this bug ?
Or is this (mainly) an HTTPS-related affair ?
I mean : I will update OpenSSH on all my servers anyway. But do I have
to consider that, with a non-negligible probability, the keys stored on
my servers are already compromised ?
This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using
OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary version
is in mentioned range) is vulnerable, like: STARTTLS extension for
protocols like SMTP, POP, IMAP, XMPP, FTP, LDAP, NNTP, and also other
protocols which uss TLS/SSL like SSL VPN, and HTTPS.
SSH protocol does not use TSL/SSL, so it is not vulnerable to Heartbleed
bug.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
