OpenSSL heartbleed bug / Shibboleth implications

Peter Schober peter.schober at
Tue Apr 8 05:41:51 EDT 2014

* Ian Young <ian at> [2014-04-08 11:22]:
> shibd needs to know the SP's private key because it uses it as a
> credential for the mutual authentication performed on back-channel
> operations. I think we're speculating that the back-channel use of
> OpenSSL by shibd may allow that key to be exposed to a hostile
> IdP. As Scott points out, though, because SPs in general only
> perform back-channel operations to locations found in metadata, it
> isn't quite trivial to exploit this.

Turns out the overwhelmingly bad firewall/packet filter configuration
for SOAP ports at IDPs (at least in our little federation; and
interfederation participation is only starting here) saved the day
here -- a measly 10% of our published IDP SOAP endpoints are actually
reachable, as a quick check revealed. (And of those it's not always
httpd serving up the port.)

> For the IdP, though, it's hard to avoid if you support any SOAP
> endpoints at all.

Being slow to update systems also helped us in this case, as RHEL<6.5
and Debian<7.0 (and deployments of SLES) are not vulnerable to THIS
explit (when using OS-supplied libraries).
One of the rare occasions, though, for this to be the case. As to not
overstate the merits of not applying OS updates.

More information about the users mailing list