[openstack-dev] heartbleed
Thierry Carrez
thierry at openstack.org
Wed Apr 9 10:29:48 UTC 2014
Aryeh Friedman wrote:
> What components (if any) are vulnerable to heartbleed?
OpenStack in itself is not vulnerable to heartbleed, however OpenStack
makes use of the host SSL library (libssl) and that one should be
properly patched.
If you have a production deployment of OpenStack, you should consider
the SSL private keys for your SSL endpoints potentially compromised and
revoke / renew them (primary key material).
Once you've done that, you should warn your users that passwords and
tokens used over that previously-flawed secure connection could have
been compromised and encourage them to change their own passwords and
expire existing tokens (secondary key material).
Regards,
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list