OpenSSL heartbleed bug / Shibboleth implications

Nickles, Brent bnick001 at
Tue Apr 8 11:23:08 EDT 2014

I'm trying to wrap my head around all of this, I've seen some tools to check the server itself, but this is limited to http and after patching, it  does show the server is secure.   
The tool is, however, limited to testing against HTTPS (web) servers. So, even though your Web server might be OK, I'm assuming that anything that linked against OpenSSL might need to be addressed???  My concern/question is should we reinstall shib and/or metadata on SP and the IdP side to be safe?

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Leif Johansson
Sent: Tuesday, April 08, 2014 10:00 AM
To: users at
Subject: Re: OpenSSL heartbleed bug / Shibboleth implications

On 2014-04-08 15:54, Cantor, Scott wrote:
> On 4/8/14, 5:06 AM, "Peter Schober" <peter.schober at> wrote:
>> Does that really affect the SP's private key? I would have expected 
>> the priveledge seperation via shibd to prevent such problems?
>> ture
> Ian's correct, my understanding is that connecting as a client also 
> exposes that client's key to a hostile server. The mitigation with the 
> SP is that it doesn't generally connect to anything but IdPs and 
> metadata locations, unless I'm overlooking something.

It looks like "it depends".

Running the common against stuff actually gets you sessions on most HTTPS servers I've tried but nothing that looks like private key material. That may just be cause I'm bad at mounting attacks though.

The prevalent guess over here is that most of the attacks right now are being mounted against things that might have bitcoins in memory and so we have a couple of days until those opportunities have closed :-)

> I don't expect *massive* fallout on the IdP side because 1.0.1 was 
> relatively rare until very recently with the push to get TLS 1.1 and 
> 1.2 deployed. But I really don't know the volume there, so I felt I 
> needed to highlight this.
> -- Scott
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list