Am 09.04.2014 19:18, schrieb Robert Schetterer:
Am 09.04.2014 19:10, schrieb Reindl Harald:
Am 09.04.2014 19:03, schrieb Robert Schetterer:
Am 09.04.2014 18:42, schrieb Charles Marcus:
What are the ramifications of changing this on a production server? Any possible problems/gotchas? user impact?
in my understanding change ssl key and crts , do all needed ssl updates keep performance mode, if unsure change all passwords too
passwords too, in security mode only keys would have been affected and since this is a attack which no single indication that it ever happened on a machine there is no likely or unlikely
there should no issue if you havent used vulnerable openssl version i.e ubuntu lucid has 0.9.x which is not reported vulnerable anyway ,change passwords from time to time is always clever
if you you don't have used a vulnerable openssl you are not affected at all - if you used than private keys and certs are not your only problem, there are enough articles in the meantime explaining why
"change passwords from time to time is always clever" is a strawmans argument with no context to the issue, forcing people to change their passwords all the time for no good reasons leads mostly to completly insecured passwords to remember them easier or have them on a sticky on the screen or under the keyboard
the word "counterproductive" describes that policies perfectly