From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 81F0D138A1F for ; Thu, 17 Apr 2014 06:11:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A2AB1E0C94; Thu, 17 Apr 2014 06:11:15 +0000 (UTC) Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 786EFE0C87 for ; Thu, 17 Apr 2014 06:11:14 +0000 (UTC) Received: by mail-wg0-f49.google.com with SMTP id a1so4976wgh.8 for ; Wed, 16 Apr 2014 23:11:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=e22Hcv9425APGxZH0TR79FWjbhJKXxoiashiqYsUJL8=; b=HFkrqSnoWmXA1KGgUqHSfEewoIodrAhVOJzj3UewbCqprRTINHPQ6O2+Tkd/pyRJS8 vjK4QUfxk12YAegZvJn2pfouGV32P7lpky+eLj8YREEOuLB6zpK1bp+UHjlqH6dv742v XBVvx2aDDLVOqeURiI0dtOM7daYjqJgIcccYg9JQsywA+ihdg9KubpMKOuguwm1n3JN0 Hh0Rrru2PHPJfmXZ5r1hftwfeQ4EMhSt5jgTK2A+ApsrrR9b2iIqO9Gx5bWIsczxteSZ cPQv3wEaXf/rGoDgZ1PSbd+uXnGbwYWqIwwspXCJAHBzZvQ5OxijjcEipW7FvuWPG4mQ oGMA== X-Received: by 10.180.107.136 with SMTP id hc8mr22663242wib.11.1397715073059; Wed, 16 Apr 2014 23:11:13 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPSA id v6sm2859862wif.0.2014.04.16.23.11.11 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 16 Apr 2014 23:11:12 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Date: Thu, 17 Apr 2014 07:10:30 +0100 User-Agent: KMail/1.13.7 (Linux/3.12.13-gentoo; KDE/4.11.5; x86_64; ; ) References: <534E60E8.6050502@libertytrek.org> <1B52707A-ABAE-4FEF-98F2-BF64D48F7EB3@iki.fi> <534EC469.1090406@libertytrek.org> In-Reply-To: <534EC469.1090406@libertytrek.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1504735.Zteio0FHmW"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201404170710.57224.michaelkintzios@gmail.com> X-Archives-Salt: 5fdb3a84-1d25-41cc-80ac-03bbd3e66039 X-Archives-Hash: b979f8809c73a426f033795e23532797 --nextPart1504735.Zteio0FHmW Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wednesday 16 Apr 2014 18:56:57 Tanstaafl wrote: > On 4/16/2014 7:14 AM, Matti Nykyri wrote: > > On Apr 16, 2014, at 13:52, Tanstaafl wrote: > >> Or will simply replacing my self-signed certs with the new real ones be > >> good enough? > >=20 > > No it will not. Keys are te ones that have been compromised. You need > > to create new keys. With those keys you need to create certificate > > request. Then you send that request to certificate authority for > > signing and publishing in their crl. When you receive the signed > > certificate you can start using it with your key. Never send your key > > to CA or expect to get a key from them. >=20 > Ok, thanks... >=20 > But... if I do this (create a new key-pair and CR), will this > immediately invalidate my old ones (ie, will my current production > server stop working until I get the new certs installed)? You have not explained your PKI set up. Creating a new private key and CSR= is=20 just another private key and CSR. If you replace either the private CA key on the server, or any of its=20 certificates chain, but leave the path in your vhosts pointing to the old=20 key/certificate that no longer exist you will of course break the server. = =20 Apache will refuse to restart and warn you about borked paths. > I'm guessing not (or else there would be a lot of downtime for lots of > sites involved) - but I've only ever done this once (created the > key-pair, CR and self-signed keys) a long time ago, so want to make sure > I don't shoot myself in the foot... Yes, better be safe with production machines. However, don't take too long= =20 because your private key(s) are potentially already compromised. > I have created new self-=3Dsigned certs a couple of times since creating > the original key-pair+CR, but never created a new key-pair/CR... >=20 > > There are also other algorithms the RSA. And also if you wan't to get > > PFS you will need to consider your setup, certificate and security > > model. >=20 > What is PFS? http://en.wikipedia.org/wiki/Forward_secrecy I'm no mathematical genius to understand cryptography at anything more than= a=20 superficial level, but I thought that ECDS, that PFS for TLS depends on, wa= s=20 compromised from inception by the NSA? Perhaps only some ECDS were, I am n= ot=20 really sure. I remember reading somewhere (was it Schneier?) that RSA is probably a bett= er=20 bet these days. I'd also appreciate some views from the better informed=20 members of the list because there's a lot of FUD and tin hats flying around= in=20 the post Snowden era. =2D-=20 Regards, Mick --nextPart1504735.Zteio0FHmW Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJTT3BxAAoJELAdA+zwE4Ye1DgH/i3/l9Vui0nZGCd3pjIc0vFN O0xBKvox+6yk0lbQcj/nW5N5oKVXJljRkwRHQ5fjOSQu0qj5d84ECTAJ6zefbkz4 BJ6OBLSFWSYzpDa/XMtTpgPiGV6IZv/SoTTXrkjHjUcJBniDxMXVuKZswnKFyUou 3s0HDSBbcdrX7LcteekLonCfXEuV7ZdP3XuXk/+crtRJRZvz0TyrMRidlXatFOV3 pqS/pUhrHTCqgG8U2Qur0qhBdINZ/gh+bWgoD/SdvdWqVMDZQI17pTq8MvndlTG8 OP7tykQqf6dtV49zCQy38uuaOm9P2dhtLatWIPkxksCkoW7XfWygd1/jvJHM0Nk= =7eXi -----END PGP SIGNATURE----- --nextPart1504735.Zteio0FHmW--