Does the heartbleed bug necessitate new SSH private keys? [closed]

https://stackoverflow.com/questions/23101412

04-07-2023
|

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 9 years ago.

Improve this question

This guy says:

Debunking some Heartbleed FUD: You don’t need new SSH private keys. This affects the SSL protocol only.

My question is: Does the heartbleed bug necessitate new SSH private keys? (Or is this merely FUD?) [For systems that had the buggy version of the openssl library]

Solution

No, as far as I know you don't need to regenerate new key pairs (would be sensible anyway though). Heartbleed was a bug in the Heartbeat extension of OpenSSL for the keep-alive of a SSL/TLS connection.

Please see this article too: http://www.ssh.com/blog/12-ssh-communications-security-comments-on-heartbleed-vulnerability

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow