Обсуждение: openssl heartbleed
Hi all, Our server is running Ubuntu Server 13.10 (we will soon upgrade to 14.04) and PostgreSQL 9.1. We use certificates for all client authentication on remote connections. The server certificate is self-signed. In light of the heartbleed bug, should we create a new server certificate and replace all client certificates? My guess is yes. Regards, Gabriel
On Wed, Apr 09, 2014 at 11:54:43AM -0400, "Gabriel E. Sánchez Martínez" wrote: > self-signed. In light of the heartbleed bug, should we create a new > server certificate and replace all client certificates? My guess is > yes. This depends mostly on what version of openssl you were actually using. If it were me, I'd say yes. A -- Andrew Sullivan ajs@crankycanuck.ca
On 04/09/2014 08:54 AM, "Gabriel E. Sánchez Martínez" wrote: > Hi all, > > Our server is running Ubuntu Server 13.10 (we will soon upgrade to > 14.04) and PostgreSQL 9.1. We use certificates for all client > authentication on remote connections. The server certificate is > self-signed. In light of the heartbleed bug, should we create a new > server certificate and replace all client certificates? My guess is yes. The answer is, of course, "it depends." Here's my take: If your connections are coming from the Internet or other untrusted sources *and* you are or were running a vulnerable version of OpenSSL then yes, you should change your keys, certificates and any other credentials that might have been found at some point in RAM including passwords/keys used to access the vulnerable server *or* which the vulnerable server stores and uses to access other systems. Of course this means that if you have PostgreSQL backing a vulnerable public webserver then you are at risk. If you aren't and weren't running a vulnerable version or if the vulnerable systems were entirely within a trusted network space with no direct external access then you are probably at low to no risk and need to evaluate the cost of updates against the low level of risk. Cheers, Steve
On Wed, Apr 9, 2014 at 10:54 AM, "Gabriel E. Sánchez Martínez" <gabrielesanchez@gmail.com> wrote:
Hi all,
Our server is running Ubuntu Server 13.10 (we will soon upgrade to 14.04) and PostgreSQL 9.1. We use certificates for all client authentication on remote connections. The server certificate is self-signed. In light of the heartbleed bug, should we create a new server certificate and replace all client certificates? My guess is yes.
I highly recommend you, update your server, revoke the certificates and regenerate them.
Regards,
Regards,
Gabriel
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Cristian Salamea
@ovnicraft
Steve Crawford wrote: > On 04/09/2014 08:54 AM, "Gabriel E. Sánchez Martínez" wrote: >> Hi all, >> >> Our server is running Ubuntu Server 13.10 (we will soon upgrade to >> 14.04) and PostgreSQL 9.1. We use certificates for all client >> authentication on remote connections. The server certificate is >> self-signed. In light of the heartbleed bug, should we create a new >> server certificate and replace all client certificates? My guess is yes. [...] > If you aren't and weren't running a vulnerable version or if the > vulnerable systems were entirely within a trusted network space with no > direct external access then you are probably at low to no risk and need > to evaluate the cost of updates against the low level of risk. If you are in a totally trusted environment, why would you use SSL? Yours, Laurenz Albe
On 4/10/2014 1:01 AM, Albe Laurenz wrote: > If you are in a totally trusted environment, why would you use SSL? Belt, and suspenders. -- john r pierce 37N 122W somewhere on the middle of the left coast
John R Pierce wrote: > On 4/10/2014 1:01 AM, Albe Laurenz wrote: >> If you are in a totally trusted environment, why would you use SSL? > Belt, and suspenders. I guess what I wanted to say was: If you are concerned enough to use SSL, you should be concerned enough to change your certificates. To continue the suspenders parable, if you are worried enough to wear suspenders you should replace them if they have been cut in two. Or take them off - wearing broken suspenders is sillier than wearing none (SSL costs resources). Yours, Laurenz Albe
On 04/10/2014 01:01 AM, Albe Laurenz wrote: > Steve Crawford wrote: > >> If you aren't and weren't running a vulnerable version or if the >> vulnerable systems were entirely within a trusted network space with no >> direct external access then you are probably at low to no risk and need >> to evaluate the cost of updates against the low level of risk. > If you are in a totally trusted environment, why would you use SSL? > I didn't say *totally* trusted - that doesn't exist. We use secure connections inside our firewall all the time and sometimes authentication convenience is as much a driving factor as security. I didn't suggest someone *avoid* updating keys/certificates - just to evaluate cost vs. risk as one must always do. But I'd submit that anyone seriously concerned about this attack being launched from within their internal network has a whole bunch of higher-priority security problems. -Steve