New SSL keys for new OpenSSL version?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Tor! I run an internal Tor relay on Debian Wheezy. Today the OpenSSL version was updated to 1.0.1e-2+deb7u11 . Do I need to delete the old SSL keys like after the Heartbleed bug? Thanks and best regards Anton - -- no.thing_to-hide at cryptopathie dot eu 0x30C3CDF0, RSA 2048, 24 Mar 2014 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTn1hxAAoJEMwm4aUww83weJAH/jYHtjrhrFrGnVdjrKPlN/TR w9NZcvRd0GrNDbZGGwemVam+OmFdHTDEeWZ73fgb/DvrGT8Iej8hD09/vD37xn9p GYhLabsKW06j8oRz7fiVDlWVOWND8QHW+UImnwKcIlvgp9a2EaSyBGVshIGppqMW wGgc8ZhoXvo5fAe/M630PHi6e/oGDJZIilSTIDmttV8M9cTEmsxah64oHZiJqVqc ierCAlAlsbkYH7fs7/QgJw0QolnhtcIZ5ALgijT+Z4EGH5oJBFnA20lvni1qLp1T O/RUTuF8qLAUWFBLgrF1Ng5zDlyPEaVUK5SO1pM6dzvDwvSWOlrapmfCd3b07DI= =OslV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/16/2014 11:49 PM, no.thing_to-hide@cryptopathie.eu wrote:
No, you do not need to delete the keys and you SHOULD NOT delete those keys if not in an extreme situation. The latest OpenSSL vulnerability was not that bad, it had a different attack vector and an attacker could not have possibly gain your onion keys, unlike in heartbleed, where an attacker could read data out of your memory and theoretically compromise your onion keys. It's a good thing you changed keys after heartbleed, but the latest vulnerability did not have such impact so you should not do the same, otherwise you will lose your current identity (relay), flags and all history associated with it in the consensus. Tor-relay mail list (subscribe if you are not subscribed) will always tell you what you need to do, in such events. If you need to throw away onion keys and generate new keys for an existing relay, you will be clearly notified about it, if not, it means they were not affected. In the latest OpenSSL bug you only needed to update OpenSSL, that's all. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJTn17aAAoJEIN/pSyBJlsRKe8H/3RaRM2qS8VwpRgkwUmwI8l/ UT5hfDmCqAeyNRdBkLo46Xe32MD/qyBQg7F8U5iLO3cPHDIm1zejHzeR04rAV6T5 f8mQdx3BAotTwgVQnPAAMYbuF9MKGf2SeeKkio9M7/Udbg89t+had+FFx57j07H2 lpDKRQo8ot2lnlDe1VRlcF0hojcyddq2b7ny3hRf/I4dgT4eU2uvbFo9mXMkJYab eNgpTge8ZguM+gGIJEYo/jA/rf2Z5e3xrdevKqjxWY0waRphXQ3Lhb06u0lG6I/w kUM/yRC8AdVo3GbGqHAA6NiI3JHrEabxHxumsZmtircq9nYazRQszIbVhJc0x90= =Z53i -----END PGP SIGNATURE-----
participants (2)
-
no.thing_to-hide@cryptopathie.eu -
s7r@sky-ip.org