Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
heartbleed wrt home computers
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nordic bro

Joined: 25 Oct 2003
Posts: 583

PostPosted: Sat Apr 19, 2014 6:49 pm    Post subject: heartbleed wrt home computers Reply with quote

I have no server capability or have the outside world logging into my machine. the only ssl things I have are postfix, stunnel, fetchmail and others that show up w/'equery d' (openconnect, vbox, cups, wget, etc.).

I've read the announcement(s) here and have been poking through other posts trying to figure a couple things out. I had openssl 1.0.1c and upgraded to 1.0.1g and what I'm wondering is:

1a) things like stunnel/postfix where I'd previously generated a *.pem myself I imagine I need to redo those after the openssl upgrade?

1b) both my /etc/stunnel and /etc/ssl/certs/postfix originally have not only the *.pem I created but *csr/crt/key files - do I need those files and/or need to regenerate them somehow?

2. I noticed /etc/ssl/certs looks to have the apps-misc/ca-certificates pkg linked there (ca-certificates-20130119) - do I need to re-emerge ca-certificates or get an updated version of it to emerge?

right now in /etc/ssl/certs I have a mixture of oct. 19, 2013 links to /usr/share/certificates/* for things like "GeoTrust_Universal_CA_2.pem" which I imagine are from when I first set up this machine.

then the 1.0.1g update (re)linked that/those to things like "2c543cd1.0" (new timestamps as of the openssl emerge).

so basically afaict all the /etc/ssl/certs items are old but don't know if that matters on a home computer? or /etc/ssl/certs isn't a part of the heartbleed prob?
Back to top
View user's profile Send private message

Joined: 01 Jul 2004
Posts: 7585
Location: almost Mile High in the USA

PostPosted: Sat Apr 19, 2014 7:30 pm    Post subject: Reply with quote

AFAIK, if you don't have services open and you trust the other end of the secure link (as in, someone won't compromise the "other" machine or MITM it) you don't have to worry about your private keys on your machine. What the worry is if the other machine was compromised and re-programmed to try to extract your private key - which is highly unlikely. The worrysome machines are the servers where they have been exposed to the network for extended periods of time.

For me, I run Apache as well as OpenVPN, both using OpenSSL and exposed to the network - and both very well could have leaked private keys. However I'm going to take the lazy route because of the annoyance of having to invalidate old keys despite the security risk involved. But I will have to carefully watch packet transfers...

To be completely safe, go ahead and regenerate your private keys and have them re-signed, but more likely than not, you don't have much to worry about.

And of course if you have to depend on the other machine, you should change your password on the *other* machine you connect to...
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum