On Wed, Apr 9, 2014 at 2:53 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ognjen,
>
> On 4/9/14, 3:30 AM, Ognjen Blagojevic wrote:
>> On 9.4.2014 9:49, André Warnier wrote:
>>> I wonder if I may ask this list-OT question to the SSH experts on
>>> the list :
>>>
>>> I run some 25 webservers (Apache httpd-only, Tomcat-only, or
>>> Apache httpd + Tomcat). I do not use HTTPS on any of them. But I
>>> use SSH (OpenSSH) to connect to them over the Internet for
>>> support purposes, with "authorized_keys" on the servers. Are my
>>> servers affected by this bug ? Or is this (mainly) an
>>> HTTPS-related affair ?
>>>
>>> I mean : I will update OpenSSH on all my servers anyway. But do
>>> I have to consider that, with a non-negligible probability, the
>>> keys stored on my servers are already compromised ?
>>
>> This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using
>> OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary
>> version is in mentioned range) is vulnerable
>
> Not necessarily. SSH, for instance, does not utilize the "heartbeat"
> feature of SSL and so is theoretically safe. I suppose you could have
> used the same server key for both SSH and HTTPS, but that would have
> been pretty silly.
Isn't that exactly what Ognjen said? This quote of him was not
included in your email:
>> SSH protocol does not use TSL/SSL, so it is not vulnerable to Heartbleed bug.
> My recommendation would be to treat everything OpenSSL touches as
> tainted and re-key anyway.
That may be a costly recommendation because one might buy more new and
revoke more old certificates than necessary.
Cheers
robert
--
[guy, jim].each {|him| remember.him do |as, often| as.you_can - without end}
http://blog.rubybestpractices.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
