OpenSSL heartbleed bug / Shibboleth implications

Peter Schober peter.schober at
Tue Apr 8 05:06:19 EDT 2014

* Cantor, Scott <cantor.2 at> [2014-04-08 05:49]:
> I am working to prepare a patch for this (I had no advance warning)
> and it will be done as soon as I can produce it. It will *only*
> apply to the supported SP version, which is 2.5.3. Anything older
> than 2.5.0 didn't include an affected OpenSSL version, but any 2.5.x
> version will need to be updated to 2.5.3 and then patched.
> Any other SP version is still vulnerable if used with OpenSSL 1.0.1,
> but I don't control the process of obtaining an update, so that will
> depend on your OS or local build.

Does that really affect the SP's private key? I would have expected
the priveledge seperation via shibd to prevent such problems?

And if anyone still needs reasons not to re-use TLS/SSL keys for SAML
usage, it seems here's +1.

More information about the users mailing list