tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [OT] HeartBleed bug
Date Wed, 09 Apr 2014 12:12:22 GMT
Ognjen Blagojevic wrote:
> André,
> 
> On 9.4.2014 9:49, André Warnier wrote:
>> I wonder if I may ask this list-OT question to the SSH experts on the
>> list :
>>
>> I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache
>> httpd + Tomcat).
>> I do not use HTTPS on any of them.
>> But I use SSH (OpenSSH) to connect to them over the Internet for support
>> purposes, with "authorized_keys" on the servers.
>> Are my servers affected by this bug ?
>> Or is this (mainly) an HTTPS-related affair ?
>>
>> I mean : I will update OpenSSH on all my servers anyway.  But do I have
>> to consider that, with a non-negligible probability, the keys stored on
>> my servers are already compromised ?
> 
> This is OpenSSL 1.0.1--1.0.1f vulnerabilty, so any protocol using 
> OpenSSL implementation of TLS/SSL protocol (if OpenSSL libarary version 
> is in mentioned range) is vulnerable, like: STARTTLS extension for 
> protocols like SMTP, POP, IMAP, XMPP, FTP, LDAP, NNTP, and also other 
> protocols which uss TLS/SSL like SSL VPN, and HTTPS.
> 
> SSH protocol does not use TSL/SSL, so it is not vulnerable to Heartbleed 
> bug.
> 
> -Ognjen
> 

Thanks for clarifying for this SSH/SSL near-dummy.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message