-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen,
On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote: > On 9.4.2014 9:49, André Warnier wrote: >> I wonder if I may ask this list-OT question to the SSH experts on >> the list : >> >> I run some 25 webservers (Apache httpd-only, Tomcat-only, or >> Apache httpd + Tomcat). I do not use HTTPS on any of them. But I >> use SSH (OpenSSH) to connect to them over the Internet for >> support purposes, with "authorized_keys" on the servers. Are my >> servers affected by this bug ? Or is this (mainly) an >> HTTPS-related affair ? >> >> I mean : I will update OpenSSH on all my servers anyway. But do >> I have to consider that, with a non-negligible probability, the >> keys stored on my servers are already compromised ? > > This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using > OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary > version is in mentioned range) is vulnerable Not necessarily. SSH, for instance, does not utilize the "heartbeat" feature of SSL and so is theoretically safe. I suppose you could have used the same server key for both SSH and HTTPS, but that would have been pretty silly. My recommendation would be to treat everything OpenSSL touches as tainted and re-key anyway. Here are some guides for re-keying your openssh servers: Debian: https://wiki.debian.org/SSLkeys#OpenSSH_.28Server.29 Generic: http://www.softec.lu/site/DevelopersCorner/HowToRegenerateNewSsh - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRULAAAoJEBzwKT+lPKRYwwYP/0HrBqKK14wZ9lbLLP8mPzS7 VW3DFmuUbEYtLaRsSiCoAm2Db4ip8GuDLF7QuHRcaPIjejf56vjtOHxzDuPTHs88 d9Wdl045XABbp9esp/yt0PERc3IpFp0aF5HIZ9PUYhq+wEedz29nuQDMgBq2tnhW EhtTe5IbtvB/e0JCVHfmfrNZ28u3AqD9ymM8F2R3DlvkfEIK+H+iG+jXoYGGoalq scuYEDcPKQfW1raA6S+Y3+88NGnOfZ9HY8nQexRXN02rU+MzxMUesArdsH6WLrVE BD7/chXld2Wrtfk2pGpqx326NG2Or8knhsnYDx1N+uH1wi8Z+QTdUuhUUN6+yazh vYazcYnHxFYMj8TGrEPETa+FbNuok/z1C78ZqfehOfAZ1hxoATq9d8T7vE6C2rCQ ONc8962Umu1jtNKrtWZUly1G4Bb4SJvRxxTfZif4A6mxipxSUJXBo6DIBdn1ETJB nogCE+YxXXb9DtmjQRGhuu4vuyA/DoNlEPmkjDjGDiBPcloxGIdsinz9zx1Rk7S0 9Z82sNpsZDztFe/Z1/VZ8jrnhaKHO03saR33XdWthBHna0nOiJ1TBhGFeuPE82kK Esz79QArjv9237Xf/MMatO1jXA85cqqzILy43hD/jo4dxT+8c0aE/X7nq5ekfUEF 9CfbNtwi/7eQPrjsnZg6 =rb8D -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org