From owner-freebsd-questions@FreeBSD.ORG Wed Apr 9 16:24:15 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 694B7DA7 for ; Wed, 9 Apr 2014 16:24:15 +0000 (UTC) Received: from mail5.networktest.com (mail5.networktest.com [204.109.60.142]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 403BE1DC3 for ; Wed, 9 Apr 2014 16:24:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail5.networktest.com (Postfix) with ESMTP id 4FCFF2FCCAC for ; Wed, 9 Apr 2014 09:24:08 -0700 (PDT) Received: from mail5.networktest.com ([127.0.0.1]) by localhost (mail5.networktest.com [127.0.0.1]) (maiad, port 10024) with ESMTP id 35720-01-6 for ; Wed, 9 Apr 2014 09:24:08 -0700 (PDT) Received: from tejay.local (cpe-75-82-133-182.socal.res.rr.com [75.82.133.182]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dnewman@networktest.com) by mail5.networktest.com (Postfix) with ESMTPSA id 2FA7A2FCD4B for ; Tue, 8 Apr 2014 21:29:21 -0700 (PDT) Message-ID: <5344CCA1.7090303@networktest.com> Date: Tue, 08 Apr 2014 21:29:21 -0700 From: David Newman Organization: Network Test Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: OpenSSL TLS Heartbeat Security Issue References: <20140408134425.Horde.azH0NUU2X8TUmV9kVtS2MA2@d2ux.org> <53440667.8060203@qeng-ho.org> <20140408172645.58B38165B369@sulu.fritz.box> <53443AF1.2070404@FreeBSD.org> <20140408184816.C64B0165B888@sulu.fritz.box> In-Reply-To: <20140408184816.C64B0165B888@sulu.fritz.box> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 16:24:15 -0000 On 4/8/14, 11:48 AM, Michael Grimm wrote: > Matthew Seaman wrote: > >> You need to install the patched library and restart all the software >> that uses it for TLS, *and* *then* (depending on degree of paranoia) >> get all of your SSL certs re-issued against a different private key. >> Your CA may or may not charge you for doing that. > > Thanks for clarifying. Ok, and I did already start to renew ssh keys. > That seemed to be overkill, though ;-) Anyway, it's ok to renew those > after some longer time. You meant SSL keys, yes? These should definitely be updated after patching to fix the heartbleed vulnerability. This vulnerability has existed for a couple of years, and it doesn't leave log entries or other artifacts. If you're concerned about passwords that were protected with SSL, it's time to change those too. dn