Re: [Nolug] SSL bug

From: Jimmy Hess <>
Date: Wed, 9 Apr 2014 05:59:22 -0500
Message-ID: <>

On Tue, Apr 8, 2014 at 10:52 AM, Joey Kelly <> wrote:

> Guys,
> what's described is bad. Very bad. If either end of an ssh or SSL
> connection (this includes VPNs, IPsec, Puppet, secure websites, and
> other stuff) runs vulnerable code (the site lists the versions in

SSH clients and servers are in no way affected.

The bug relates to the TLS protocol. TLS and SSL Version 3 clients and
servers using an affected version of the library may be vulnerable.

The general recommendation is to revoke and reissue X509 certificates used
by TLS and SSL servers after patching.

That is because the exploit leaves no trace, patching alone does not help
you restore your confidence in the server to what it was before the exploit
announcement : you have no way of knowing if the exploit has been used
 to steal the private keys or other secret information held in RAM by
server programs you use that have TLS/SSL support.

Possible defenses against similar future issues, would be to switch to
applications with PKCS #11 hardware security modules, or other
hardware-based encryption options, where SSL private keys are stored on a
dedicated hardware security module (instead of on the server).

Nolug mailing list
Received on 04/09/14

This archive was generated by hypermail 2.2.0 : 04/09/14 EDT