# heartbleed wrt home computers

## nordic bro

I have no server capability or have the outside world logging into my machine.  the only ssl things I have are postfix, stunnel, fetchmail and others that show up w/'equery d' (openconnect, vbox, cups, wget, etc.).

I've read the announcement(s) here and have been poking through other posts trying to figure a couple things out.  I had openssl 1.0.1c and upgraded to 1.0.1g and what I'm wondering is:

1a)   things like stunnel/postfix where I'd previously generated a *.pem myself I imagine I need to redo those after the openssl upgrade?

1b)  both my /etc/stunnel and /etc/ssl/certs/postfix originally have not only the *.pem I created but *csr/crt/key files - do I need those files and/or need to regenerate them somehow?

2.  I noticed /etc/ssl/certs looks to have the apps-misc/ca-certificates pkg linked there (ca-certificates-20130119) - do I need to re-emerge ca-certificates or get an updated version of it to emerge?  

right now in /etc/ssl/certs I have a mixture of oct. 19, 2013 links to /usr/share/certificates/* for things like "GeoTrust_Universal_CA_2.pem" which I imagine are from when I first set up this machine.  

then the 1.0.1g update (re)linked that/those to things like "2c543cd1.0" (new timestamps as of the openssl emerge).

so basically afaict all the /etc/ssl/certs items are old but don't know if that matters on a home computer?  or /etc/ssl/certs isn't a part of the heartbleed prob?

----------

## eccerr0r

AFAIK, if you don't have services open and you trust the other end of the secure link (as in, someone won't compromise the "other" machine or MITM it) you don't have to worry about your private keys on your machine.  What the worry is if the other machine was compromised and re-programmed to try to extract your private key - which is highly unlikely.  The worrysome machines are the servers where they have been exposed to the network for extended periods of time.

For me, I run Apache as well as OpenVPN, both using OpenSSL and exposed to the network - and both very well could have leaked private keys.  However I'm going to take the lazy route because of the annoyance of having to invalidate old keys despite the security risk involved.  But I will have to carefully watch packet transfers...

To be completely safe, go ahead and regenerate your private keys and have them re-signed, but more likely than not, you don't have much to worry about.

And of course if you have to depend on the other machine, you should change your password on the *other* machine you connect to...

----------

