From owner-freebsd-questions@FreeBSD.ORG Tue Apr 8 18:07:55 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6ED8DC7 for ; Tue, 8 Apr 2014 18:07:55 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4866A1009 for ; Tue, 8 Apr 2014 18:07:55 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s38I7mjx094909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 8 Apr 2014 19:07:49 +0100 (BST) (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s38I7mjx094909 Authentication-Results: smtp.infracaninophile.co.uk/s38I7mjx094909; dkim=none reason="no signature"; dkim-adsp=none Message-ID: <53443AF1.2070404@FreeBSD.org> Date: Tue, 08 Apr 2014 19:07:45 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: OpenSSL TLS Heartbeat Security Issue References: <20140408134425.Horde.azH0NUU2X8TUmV9kVtS2MA2@d2ux.org> <53440667.8060203@qeng-ho.org> <20140408172645.58B38165B369@sulu.fritz.box> In-Reply-To: <20140408172645.58B38165B369@sulu.fritz.box> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="EQnkqCpE75XaXdO5fb92lVrkPSvXtSdGC" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 18:07:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EQnkqCpE75XaXdO5fb92lVrkPSvXtSdGC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 08/04/2014 18:26, Michael Grimm wrote: > Does one need to recompile all ports that depend on that openssl port? > Or, would it be sufficient to restart all relevant server processes > after upgrading to 1.0.1_10? You need to install the patched library and restart all the software that uses it for TLS, *and* *then* (depending on degree of paranoia) get all of your SSL certs re-issued against a different private key. Your CA may or may not charge you for doing that. In principle you could have a statically linked copy of nginx or slapd or whatever that would need recompiling, but in practice that would be a pretty bizarre thing to have on a normal server or desktop machine. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --EQnkqCpE75XaXdO5fb92lVrkPSvXtSdGC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ7BAEBCgBmBQJTRDrzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATyJUP+J0nPksPTxcmtyXNBK67iXk5 4hnvSrdg9P34wIVU4HcKZ/G8ISeLL2Mn6IDaQXBSlklORfLq0Sqb9O4vuHxX4g1J x5ObAl8uEgQTyv/SAmmwYv74AndKTqv56QM852om6D31jYCNbQ/PgSVU64t/e2Km 13azmeFNL2KUSp7tV2iQrLD84cK8vGmExj+Nij+/aUNV6X+atCC1cJ/RGlHwt+pm NKw/UXRdlmt+WMjZhUlAx/DT8n9nKxT2xMpmtcQreqaQ62kQpc9Aa0iB1DU9Ew2i PCLJKB+bpeHG7hpmG+4w6Qxh7ruCryQOAWKRvbjtXGIGLbol8Hz4jq7jhJpaL/OV Ytq6WHqF30MoH0zaz46xQaJcg5Fz7m9fYiT5qn8/+hd4W4dBrUDqy6RxQB0CrmaO gKgLqj1DM/1Jjus1Den3GjpfLMgsnMpkqvdJ5uR07dYUZRotufpLPX3hj4PNgQuP jh6RJ03fxz3IM+6woZZ+nRldU0ZBmN/KQy1rnmcOU5ugAZBSj3zDShwsvd0pXosI 6STNmf6D1QiFr+WbRU505NtOoU+l+vyX1xe/1P+QRn2FAolSj7pbpbQTg21lUCpM NItC7WC9cdwyTx2oWUshWgYHlpwZcZGvs12ne/FGaD5Ke9vgcGnypZLkPlNprfjf IDUqj3oY3IlxU8UP+XU= =ES5k -----END PGP SIGNATURE----- --EQnkqCpE75XaXdO5fb92lVrkPSvXtSdGC--