CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Mendel Mobach schreef op 8-4-2014 0:10:
> On 07 Apr 2014, at 23:19, ianG 
> <iang AT iang.org>
>  wrote:
> 
>> http://heartbleed.com/
>>
>> from that page:
>>
>> ================
>> What versions of the OpenSSL are affected?
>>
>> Status of different versions:
>>
>>    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
>>    OpenSSL 1.0.1g is NOT vulnerable
>>    OpenSSL 0.9.8 branch is NOT vulnerable
>>
>> Bug was introduced to OpenSSL in December 2011 and has been out in the
>> wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g
>> released on 7th of April 2014 fixes the bug.
>> ================
> 
> We run openssl-older, no problem at www and signer at least.

To be exact: we run openssl-0.9.8o-4squeeze14 on both.

> I did not check OCSP yet, but OCSP should not run over ssl.

We are running openssl-1.0.0c-18.42.1.x86_64 on the ocsp server
(but currently not offering OCSP over SSL support). We are also
running openssl-1.0.0c-18.42.1.x86_64 on the crl server (including
support for HTTPS). This version is also not vulnerable.

> If you need to upgrade your openssl, consider at least your ssl
> stuff compromized. Generate new keys.

Well said.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening