Update on Heartbleed and Chef Keys


#1

Ohai Chefs!

We’ve added a post to the Chef blog that details the ways in which the
Heartbleed bug could allow the client private keys in your Chef
infrastructure to be leaked to an attacker. Take a look here:


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#2

Stephen –

Thanks for being forthcoming in this. If customers are to consider
all private keys compromised, should they undertake the following:

-remove client-side private keys
-upgrade chef-client packages
-nuke client objects on chef-server
-rotate validator key on chef-server
-use new validator key to re-bootstrap upgraded clients to chef-server
-rotate additional user keys

This is in addition to chef-server upgrades + nginx ssl certs regeneration.

On Thu, Apr 10, 2014 at 7:57 PM, Stephen Delano stephen@opscode.com wrote:

Ohai Chefs!

We’ve added a post to the Chef blog that details the ways in which the
Heartbleed bug could allow the client private keys in your Chef
infrastructure to be leaked to an attacker. Take a look here:
http://www.getchef.com/blog/2014/04/10/update-on-heartbleed-and-chef-keys/


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#3

On Thursday, April 10, 2014 at 6:30 PM, Nick Silkey wrote:

Stephen –

Thanks for being forthcoming in this. If customers are to consider
all private keys compromised, should they undertake the following:

-remove client-side private keys
-upgrade chef-client packages
-nuke client objects on chef-server
-rotate validator key on chef-server
-use new validator key to re-bootstrap upgraded clients to chef-server
-rotate additional user keys

This is in addition to chef-server upgrades + nginx ssl certs regeneration.

The cookbook we provided updates the private (and therefore also the public) keys of any client that runs it. If you configure local_key_generation true the keys will be created on the client side and the private key won’t go over the network. Then you don’t need to delete the client objects on the server.


Daniel DeLeo