Heartbleed security implications for Service Providers

Ian Young ian at iay.org.uk
Wed Apr 9 18:01:45 EDT 2014

On 9 Apr 2014, at 21:34, Aaron Scruggs <ascruggs at academicworks.com> wrote:

> Do I need to recompile shibd against a new version of openssl or is simply upgrading openssl on the server good enough?

Unfortunately, the answer to that will depend on how you put your existing deployment together. For the systems we support directly it's normal for the OpenSSL dependency to be dynamically linked, which means that most people don't need to recompile. However, it sounds like you've compiled Shibboleth yourself and in cases like that it's going to depend on how you did that, and perhaps why (by which I mean: which OS are you on which required you to compile it yourself, which web server are you using, did you build that yourself as well, and so on).

> Do I need to rekey any certs?  Some that come to mind are my Signature cert and my CredentialResolver key & cert.

There's a possibility that any or all of those, as well as the browser-facing TLS certificate, are compromised. Without more details, I think we'd have to recommend that you play safe and rekey everything. Don't forget to revoke any CA-issued certificates, too. Many browsers actually do check that stuff these days, despite the FUD one sometimes hears, and it's therefore worth the extra minor effort involved even if it isn't guaranteed to benefit every user.

	-- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140409/ffd192db/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140409/ffd192db/attachment.bin 

More information about the users mailing list