Check OpenSSL for Heartbleed when hosting K2 on linux

None of the K2 components require a patch as a result of the Heartbleed bug. However, if you are hosting KeyServer or KeyReporter on Linux, you should make sure that the OS is not using an affected version of OpenSSL.

On Windows, whenever K2 components need to use SSL, the native libraries (not OpenSSL) are used. On Macintosh, secure communication is handled using OpenSSL, but the versions of OpenSSL included with Mac OS have never included versions that are susceptible to the heartbleed attack.

If KeyServer or KeyReporter is hosted on Linux, it will use the version of OpenSSL that is installed, but will prefer versions 0.9.8 and 0.9.7 if those are available (these versions do not have the Heartbleed vulnerability). If your version of Linux has a vulnerable version of OpenSSL installed you should of course apply the Heartbleed bug fix asap. There is no need to upgrade or change any of the K2 components.

No comments yet.

Leave a Reply