[tor-relays] New SSL keys for new OpenSSL version?

s7r at sky-ip.org s7r at sky-ip.org
Mon Jun 16 21:17:14 UTC 2014

Hash: SHA1

On 6/16/2014 11:49 PM, no.thing_to-hide at cryptopathie.eu wrote:
> Hello Tor!
> I run an internal Tor relay on Debian Wheezy. Today the OpenSSL 
> version was updated to 1.0.1e-2+deb7u11 . Do I need to delete the
> old SSL keys like after the Heartbleed bug?
> Thanks and best regards
> Anton
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

No, you do not need to delete the keys and you SHOULD NOT delete those
keys if not in an extreme situation.

The latest OpenSSL vulnerability was not that bad, it had a different
attack vector and an attacker could not have possibly gain your onion
keys, unlike in heartbleed, where an attacker could read data out of
your memory and theoretically compromise your onion keys.

It's a good thing you changed keys after heartbleed, but the latest
vulnerability did not have such impact so you should not do the same,
otherwise you will lose your current identity (relay), flags and all
history associated with it in the consensus.

Tor-relay mail list (subscribe if you are not subscribed) will always
tell you what you need to do, in such events. If you need to throw
away onion keys and generate new keys for an existing relay, you will
be clearly notified about it, if not, it means they were not affected.

In the latest OpenSSL bug you only needed to update OpenSSL, that's all.

- -- 
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc
Version: GnuPG v2.0.17 (MingW32)


More information about the tor-relays mailing list