CAcert System Admins discussion list

[Michael Tänzer <michael.taenzer AT cacert.org>]

Hi Mendel,

On 08.04.2014 00:10, Mendel Mobach wrote:
> On 07 Apr 2014, at 23:19, ianG 
> <iang AT iang.org>
>  wrote:
>> http://heartbleed.com/

> We run openssl-older, no problem at www and signer at least. I did
> not check OCSP yet, but OCSP should not run over ssl.

The OCSP server has three certs, two for the OCSP responder itself and
one to allow transport encryption for the OCSP requests. The transport
encryption certificate (serial number 931461 (0xe3685)) could be
affected if the OCSP server runs one of the vulnerable openssl versions.
This does NOT mean that the OCSP server _itself_ is compromised, the
effect could be however that an attacker can decrypt the traffic so that
information about which CAcert certificates a user is validating could
be exposed -> privacy issue.

> If you need to upgrade your openssl, consider at least your ssl stuff
> compromized. Generate new keys.

If the OCSP server runs an affected OpenSSL version please upgrade,
generate a new transport cert and send me the CSR.

-- 
Thanks,
Michael Tänzer

Attachment: signature.asc
Description: OpenPGP digital signature