openssl heartbleed

On Wed, Apr 09, 2014 at 11:54:43AM -0400, "Gabriel E. Sánchez Martínez" wrote:

self-signed. In light of the heartbleed bug, should we create a new
server certificate and replace all client certificates? My guess is
yes.

This depends mostly on what version of openssl you were actually
using. If it were me, I'd say yes.

A

--
Andrew Sullivan
ajs@crankycanuck.ca

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 04/09/2014 08:54 AM, "Gabriel E. Sánchez Martínez" wrote:

Hi all,

Our server is running Ubuntu Server 13.10 (we will soon upgrade to
14.04) and PostgreSQL 9.1. We use certificates for all client
authentication on remote connections. The server certificate is
self-signed. In light of the heartbleed bug, should we create a new
server certificate and replace all client certificates? My guess is yes.

The answer is, of course, "it depends." Here's my take:

If your connections are coming from the Internet or other untrusted
sources *and* you are or were running a vulnerable version of OpenSSL
then yes, you should change your keys, certificates and any other
credentials that might have been found at some point in RAM including
passwords/keys used to access the vulnerable server *or* which the
vulnerable server stores and uses to access other systems. Of course
this means that if you have PostgreSQL backing a vulnerable public
webserver then you are at risk.

If you aren't and weren't running a vulnerable version or if the
vulnerable systems were entirely within a trusted network space with no
direct external access then you are probably at low to no risk and need
to evaluate the cost of updates against the low level of risk.

Cheers,
Steve

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On Wed, Apr 9, 2014 at 10:54 AM, "Gabriel E. Sánchez Martínez" <
gabrielesanchez@gmail.com> wrote:

Hi all,

Our server is running Ubuntu Server 13.10 (we will soon upgrade to 14.04)
and PostgreSQL 9.1. We use certificates for all client authentication on
remote connections. The server certificate is self-signed. In light of
the heartbleed bug, should we create a new server certificate and replace
all client certificates? My guess is yes.

I highly recommend you, update your server, revoke the certificates and
regenerate them.

Regards,

Regards,
Gabriel

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

--
Cristian Salamea
@ovnicraft

Steve Crawford wrote:

On 04/09/2014 08:54 AM, "Gabriel E. Sánchez Martínez" wrote:

Hi all,

Our server is running Ubuntu Server 13.10 (we will soon upgrade to
14.04) and PostgreSQL 9.1. We use certificates for all client
authentication on remote connections. The server certificate is
self-signed. In light of the heartbleed bug, should we create a new
server certificate and replace all client certificates? My guess is yes.

[...]

If you aren't and weren't running a vulnerable version or if the
vulnerable systems were entirely within a trusted network space with no
direct external access then you are probably at low to no risk and need
to evaluate the cost of updates against the low level of risk.

If you are in a totally trusted environment, why would you use SSL?

Yours,
Laurenz Albe

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 4/10/2014 1:01 AM, Albe Laurenz wrote:

If you are in a totally trusted environment, why would you use SSL?

Belt, and suspenders.

--
john r pierce 37N 122W
somewhere on the middle of the left coast

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

John R Pierce wrote:

On 4/10/2014 1:01 AM, Albe Laurenz wrote:

If you are in a totally trusted environment, why would you use SSL?

Belt, and suspenders.

I guess what I wanted to say was:
If you are concerned enough to use SSL, you should be concerned enough
to change your certificates.

To continue the suspenders parable, if you are worried enough to wear
suspenders you should replace them if they have been cut in two.
Or take them off - wearing broken suspenders is sillier than wearing none
(SSL costs resources).

Yours,
Laurenz Albe

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 04/10/2014 01:01 AM, Albe Laurenz wrote:

Steve Crawford wrote:

If you aren't and weren't running a vulnerable version or if the
vulnerable systems were entirely within a trusted network space with no
direct external access then you are probably at low to no risk and need
to evaluate the cost of updates against the low level of risk.

If you are in a totally trusted environment, why would you use SSL?

I didn't say *totally* trusted - that doesn't exist. We use secure
connections inside our firewall all the time and sometimes
authentication convenience is as much a driving factor as security.

I didn't suggest someone *avoid* updating keys/certificates - just to
evaluate cost vs. risk as one must always do. But I'd submit that anyone
seriously concerned about this attack being launched from within their
internal network has a whole bunch of higher-priority security problems.

-Steve

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general