1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL 1.0.1g available on Axivo repository

Discussion in 'Server Configuration and Hosting' started by Floren, Apr 8, 2014.

  1. Floren

    Floren Well-Known Member

    thedude likes this.
  2. Tracy Perry

    Tracy Perry Well-Known Member

    And for Debian it's a simple apt-get update then apt-get safe-upgrade. :p
     
    Last edited: Apr 8, 2014
    Mouth likes this.
  3. Floren

    Floren Well-Known Member

    We are talking about Linux, they are always slow. And Debian don't have ChaCha20 and Poly1305 ciphers implemented, which are worth gold for security. I was going to release it included but I need to do more testing and see if Google developers have something new worked on.
     
    Tracy Perry likes this.
  4. Tracy Perry

    Tracy Perry Well-Known Member

    The original post did not refer to additional ciphers.... just a vulnerability. ;)
     
  5. Floren

    Floren Well-Known Member

    Stop fighting. :D
     
  6. Tracy Perry

    Tracy Perry Well-Known Member

    :p
    And spoil the fun?
    Point was that it is important for any Debian users also to grab the latest updates and was just a heads up for them to do it also.
     
    Floren likes this.
  7. Floren

    Floren Well-Known Member

    What is Debian? :giggle:
     
  8. Tracy Perry

    Tracy Perry Well-Known Member

    Only the best OS flavor of Linux out there. :love:
    I'm about to blow out an OpenBSD VPS to play with. From what I understand, out of the box it is one of the most secure OS's available. It's been ages since I played with any of the BSD flavors.
     
    Adam Howard and Floren like this.
  9. Floren

    Floren Well-Known Member

    You know that I'm a convinced Linux head, hehe. :)
    For some reason, I'm not sold on Debian...
     
    Slavik likes this.
  10. p4guru

    p4guru Well-Known Member

    euantor and Slavik like this.
  11. Sheratan

    Sheratan Well-Known Member

    https://www.debian.org/security/2014/dsa-2896
    Do we need to create a new cert?
     
  12. Tracy Perry

    Tracy Perry Well-Known Member

    According to that page:
    According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time.

    If keys need to be regenerated then I'm pretty sure you are going to have to create a new certificate to go with it.... but I'm just getting into the SSL biz so @Floren or someone else would have a definitive answer. My theory is "When in doubt, regenerate".
     
  13. euantor

    euantor Well-Known Member

    Yes, regenerating your certificate with a new set of private keys would be sensible. Updating your passwords across sites is never a bad idea after an issue like this either.
     
  14. Sheratan

    Sheratan Well-Known Member

    Which means I had to re-order my SSL?
     
  15. BamaStangGuy

    BamaStangGuy Well-Known Member

    So one thing I am curious about... with this exploit and the way it is... are sites that were not using OpenSSL (https) more secure over these last 2 years or so that this existed?
     
  16. p4guru

    p4guru Well-Known Member

    Doubt it, that's like saying processing payment transactions via non-SSL was more secure than with SSL
     
  17. LowWaterMark

    LowWaterMark Member

    Well, in this particular case, it's actually true that sites not using SSL were better off.

    The entry point into shared memory in this case was directly tied to running an exploitable version of openssl. Any site running the versions effected, could easily be entered into and have their memory scanned.

    That's right there in all the overviews of this exploit. That's what makes it so bad.

    Bama is right when he suggests not running SSL at all, in this case, was better. Sure, the session they ran without SSL had no encryption, but, they also had no entry point allowing shared memory to be directly read.

    There is good reason why the security experts are saying this one is the biggest exploit they've seen in a while... because it is. The old rules don't apply. If you had SSL enable on any of the exploitable versions, you have the risk that someone not only read your certificate, but, also scan memory containing any and all authentication credentials of anyone who signed on during the period they were scanning.

    No SSL running means no entry point exploit to run those memory scans.
     
    ProCom and BamaStangGuy like this.
  18. euantor

    euantor Well-Known Member

    You should just be able to re-generate it I would hope. I know you can with Gandi.
     
  19. Floren

    Floren Well-Known Member

  20. erich37

    erich37 Well-Known Member

Share This Page