Question: given this issue, would anyone recommend switching SSL libraries?What about PolarSSL, for example?
-Stephan On 04/07/2014 10:41 AM, Phil Pennock wrote: > If you're running OpenSSL 1.0.1 in any Internet-facing services, then > you'll want to: > > (1) Read the advisories > (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) > (3) Figure out if you want to do key/cert rotation on assumption of > compromise > > Short version: length-checking flaw in TLS Heartbeats allows for 64kB of > memory disclosure, and the researchers have proven that they can use > this to exfiltrate the certificate's private key, and that this leaves > no audit log. Affects all releases of OpenSSL 1.0.1 prior to today's > "g" release. > > http://www.openssl.org/news/vulnerabilities.html#2014-0160 > http://heartbleed.com/ > > -Phil > > > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
