I have updated openssl to remedy heartbleed-bug, but again if I generate CSR with affected openssl version and install it on fixed version, will this cause any issue?
Asked
Active
Viewed 172 times
-1
-
Is the machine with the vulnerability connected to any networks? – jball Apr 17 '14 at 17:45
-
@jball information from the affected server can't be leaked to open internet, but I am generating CSR for servers open to internet. – NPC Apr 17 '14 at 17:57
1 Answers
0
If the machine with the vulnerability generating the CSR is connected to any networks, it is an issue.
Heartbleed allows a machine to leak information silently through the TLS heartbeat functionality. Any information that has been in memory on that machine could have been obtained by someone if it's on the network. The CSR itself is no different than one generated on a non-vulnerable machine, it's just that the private key may have been leaked (and you should assume as much).
jball
- 24,791
- 9
- 70
- 92
-
If you're positive that the CSR generator server could not be accessed by any suspect or compromised clients, then it's safe. I'd be wary of that assumption though. What you're generating the CSR for doesn't matter though, the only issue is the exposure of the private information. – jball Apr 17 '14 at 17:59
-