OpenSSL heartbleed bug / Shibboleth implications

Cantor, Scott cantor.2 at
Tue Apr 8 11:53:54 EDT 2014

On 4/8/14, 11:23 AM, "Nickles, Brent" <bnick001 at> wrote:

>The tool is, however, limited to testing against HTTPS (web) servers. So,
>even though your Web server might be OK, I'm assuming that anything that
>linked against OpenSSL might need to be addressed???  My concern/question
>is should we reinstall shib and/or metadata on SP and the IdP side to be

None of those steps would have any impact. The IdP is in Java, the SP
isn't statically linked to OpenSSL (as Ian noted), and metadata really
doesn't have much to do with this unless you mean pulling in new keys from
people that have already started rolling new ones, and I doubt many have
at this stage.

The bottom line right now is triage. Figuring out whether IdP keys are
affected from being hosted on vulnerable endpoints.

In theory all SP 2.5 keys on Windows are/were at risk and until I get a
patch done, there's not much to be done about it. On other platforms,
getting the OpenSSL version the SP is linked to patched is probably the
top priority.

-- Scott

More information about the users mailing list