OpenSSL heartbleed bug / Shibboleth implications

Rich Graves rgraves at
Tue Apr 8 12:54:37 EDT 2014

If you are using the native SP, which has process/privilege separation from the web server, I would not worry about replacing the SP keys. The vulnerability should only have exposed memory accessible to the httpd process. If you were using something like simpleSAMLphp then there could possibly be some concern. 

I would replace your public-facing SSL keys/certificates if I were you. That's relatively easy. Consider invalidating any especially long-lived cookies. Maybe change internal admin passwords too, if they could have touched httpd processes also reachable by the public. Attack a server that's still vulnerable and see what you can see. 
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list