RE: [Nolug] SSL bug

From: John Souvestre <johns_at_sstar.com>
Date: Wed, 9 Apr 2014 14:21:25 -0500
Message-ID: <01a901cf5428$e7afb1f0$b70f15d0$@sstar.com>

P.S.

 

An interesting note I just read:

 

>>> However, if you are using certificates (wildcard certificates,
certificates with alternative names) on your [safe, non-affected] server that
are shared with other software (e.g. apache web servers) that might be using
buggy OpenSSL versions, the private key could potentially have been leaked by
that other software. In that case, it's better to consider re-generating the
private key and obtaining a new certificate.

 

John

    John Souvestre - New Orleans LA

 

From: owner-nolug@stoney.kellynet.org [mailto:owner-nolug@stoney.kellynet.org]
On Behalf Of John Souvestre
Sent: Wed, April 09, 2014 2:17 pm
To: nolug@nolug.org
Subject: RE: [Nolug] SSL bug

 

Sorry, I sent that too quickly…

 

I meant to add: The CA cert itself wouldn’t be compromised but from what I
gather some of the CA’s are considering invalidating their certs as a
practical solution. This will server to protect all those depending on that
CA cert (including those who didn’t have the OpenSSL flaw), will help to keep
the cert reject list small, and allow admins to remove it on user machines
which would help protect applications which don’t validate the cert chain
fully.

 

John

    John Souvestre - New Orleans LA

 

From: John Souvestre [mailto:johns@sstar.com]
Sent: Wed, April 09, 2014 2:12 pm
To: 'nolug@nolug.org'
Subject: RE: [Nolug] SSL bug

 

Ø So no current public CA that claims to be following the security
standards, could have a CA certificate compromised, unless they were quite
negligent.

 

I believe you are incorrect about this.

 

https://www.schneier.com/blog/archives/2014/04/heartbleed.html

 

 

John

    John Souvestre - New Orleans LA

 

From: owner-nolug@stoney.kellynet.org [mailto:owner-nolug@stoney.kellynet.org]
On Behalf Of Jimmy Hess
Sent: Wed, April 09, 2014 8:37 am
To: nolug@nolug.org
Subject: Re: [Nolug] SSL bug

 

On Wed, Apr 9, 2014 at 8:00 AM, Joey Kelly <joey@joeykelly.net> wrote:

On 04/09/2014 04:27 AM, Ron Johnson wrote:
> Do CA certificates need to be recreated?

 

It is impossible without having violated basic Crypto 101 key hygene rules.

So no current public CA that claims to be following the security standards,
could have a CA certificate compromised, unless they were quite negligent.

 

Should never issue certificates that have a Policy definition/Extended key
usage allowing the certificate to be used for both Key agreement/Data
encipherment AND for Certificate signing (or CRL Signing).

 

CA signing keys should never be loaded onto a webserver.

Always sign a separate certificate that has a different key from the
certificate signing key.

 

 

 

 

 

 

If you created them with a vulnerable OpenSSL version, then yes. I've
got one to redo myself. 

--
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
___________________
Nolug mailing list
nolug@nolug.org
 
-- 
-Mysid

___________________
Nolug mailing list
nolug@nolug.org

Received on 04/09/14

This archive was generated by hypermail 2.2.0 : 04/09/14 EDT