Versions Compared

Old Version 36

changes.mady.by.user Joseph St Sauver

Saved on

compared with

New Version 37

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titleThe Heartbleed Bug

A serious vulnerability has affected many servers the Internetbeen found to affect many Internet hosts. The Heartbleed Bug, announced publicly on April 7, 2014, undercuts the security of affects certain versions of OpenSSL in circulation since 2012.

...

The following InCommon server, which serves a single HTML resource, was found to be running a vulnerable version of OpenSSL:

...

The above server was patched, its TLS certificate was revoked, and a new TLS key and certificate were installed. The content on that server has been was reviewed and found to be unimpairedintact. These steps restored the integrity of the HTML resource (i.e., the fingerprints of the metadata signing certificate).

Recommendations for Deployers

...

  1. Patch the affected version of OpenSSL
    1. Follow the OS vendor's instructions to upgrade OpenSSL to the latest version
  2. Revoke your browser-facing TLS certificate
    1. Configure the system with a new trusted TLS key and certificate
  3. Revoke your SAML certificate in metadata
    1. Migrate a new certificate into metadata

...

When all but step 3 above have been completed, follow these additional steps to migrate a new certificate into metadata:

...