3

As you may already know old Openssl versions were vulnerable(OpenSSL 1.0.1 through 1.0.1f (inclusive)) by the HeartBleed vulnerability. Currently our server is running Tomcat7 which is built in a vulnerable Openssl, so we upgraded into Tomcat8 but we didn't regenerate the SSL certificates.

So my question is I wonder if we should regenerate the SSL certificates with the new installed version Openssl, to avoid the Heartbleed vulnerability and may be performance issues with Tomcat?

Sadmi
  • 153
  • 6
  • 5
    Possible duplicate of [Does Heartbleed mean new certificates for every SSL server?](https://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server) – Jules Lamur Nov 12 '19 at 10:48

1 Answers1

3

Heartbleed is a vulnerability in the OpenSSL library, specifically how it handles the Heartbeat Extension. It is completely unrelated to certificate generation. A certificate can't be vulnerable to Heartbleed, only the OpenSSL library version.

That said, if your certificate and its associated private key was deployed on a server, which had a Heartbleed-vulnerable OpenSSL version deployed, it may be possible that your private key got leaked. In this case, I would recommend you to do the following steps:

  1. Revoke the certificate. This shows that you can no longer be reasonably certain that your private key is actually private.
  2. Generate a new private key and certificate. Take this chance to ensure that the parameters you picked for the certificate are up-to-date as well.
  • Thank you for your precise response, that what I was looking to know (is the heartbleed related to the generated certeficates or just the the Openssl package), as our application is just avaialble in our intranet I don't think it's necessaire to regenerate the certeficates. – Sadmi Nov 12 '19 at 12:12
  • @Sadmi The heartbleed allows an attacker to read arbitrary RAM contents, such as private keys, passwords, etc. Please see the answer linked in the comment. If you need to re-generate a certificate depends on how bad it would be for an attacker to be able to have your private key and possibly decrypt communication. Revoking and generating a certificate usually doesn't take that much time. –  Nov 12 '19 at 12:15
  • I already read the link, yes I agree that there is always a risk that a confidentiel content may be already leaked. – Sadmi Nov 12 '19 at 12:23
  • @Sadmi Correct. As such, re-using a private key that reasonably *may* have been leaked is a risk that you need to deal with. You have to decide whether revoking and re-generating a new certificate is better than having a possibly leaked private key. –  Nov 12 '19 at 12:25