[tor-relays] New SSL keys for new OpenSSL version?
s7r at sky-ip.org
s7r at sky-ip.org
Mon Jun 16 21:17:14 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/16/2014 11:49 PM, no.thing_to-hide at cryptopathie.eu wrote:
> Hello Tor!
>
> I run an internal Tor relay on Debian Wheezy. Today the OpenSSL
> version was updated to 1.0.1e-2+deb7u11 . Do I need to delete the
> old SSL keys like after the Heartbleed bug?
>
> Thanks and best regards
>
> Anton
>
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
No, you do not need to delete the keys and you SHOULD NOT delete those
keys if not in an extreme situation.
The latest OpenSSL vulnerability was not that bad, it had a different
attack vector and an attacker could not have possibly gain your onion
keys, unlike in heartbleed, where an attacker could read data out of
your memory and theoretically compromise your onion keys.
It's a good thing you changed keys after heartbleed, but the latest
vulnerability did not have such impact so you should not do the same,
otherwise you will lose your current identity (relay), flags and all
history associated with it in the consensus.
Tor-relay mail list (subscribe if you are not subscribed) will always
tell you what you need to do, in such events. If you need to throw
away onion keys and generate new keys for an existing relay, you will
be clearly notified about it, if not, it means they were not affected.
In the latest OpenSSL bug you only needed to update OpenSSL, that's all.
- --
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJTn17aAAoJEIN/pSyBJlsRKe8H/3RaRM2qS8VwpRgkwUmwI8l/
UT5hfDmCqAeyNRdBkLo46Xe32MD/qyBQg7F8U5iLO3cPHDIm1zejHzeR04rAV6T5
f8mQdx3BAotTwgVQnPAAMYbuF9MKGf2SeeKkio9M7/Udbg89t+had+FFx57j07H2
lpDKRQo8ot2lnlDe1VRlcF0hojcyddq2b7ny3hRf/I4dgT4eU2uvbFo9mXMkJYab
eNgpTge8ZguM+gGIJEYo/jA/rf2Z5e3xrdevKqjxWY0waRphXQ3Lhb06u0lG6I/w
kUM/yRC8AdVo3GbGqHAA6NiI3JHrEabxHxumsZmtircq9nYazRQszIbVhJc0x90=
=Z53i
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list