| Author |
Message
|
| smeunier |
 Posted: Fri Apr 11, 2014 5:42 am Post subject: Heartbleed, OpenSSL and MQ |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
I'm not familiar with OpenSSL, so this is a random question. With the recent Heartbleed security exposure with OpenSSL, would my MQ environment, which uses SSL certificates be at risk? Most of these certificates were generated by GeoTrust. I have not seen this addressed in these forums, so I'm curious. And obviously if there are actions that need to be taken.
Thanks in advance for any insight. |
|
| Back to top |
|
 |
| zpat |
| Posted: Fri Apr 11, 2014 5:49 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I believe that it is only WMQ for HP Non-stop Server (HP NSS) that uses a modified version of the OpenSSL code. The other OS versions use GSKit which doesn't support '.pem' OpenSSL certs or keys.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 11, 2014 5:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
AFAIK the SSL support inside WMQ is IBM not based on OpenSSL but is one IBM wrote. Thank you for volunteering to raise a PMR to get a definite answer and posting it for the benefit of all..... 
A passing IBM may wish to comment semi-definately
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Apr 11, 2014 5:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I'd suggest you heavily watch the IBM website.
Security Bulletin: IBM WebSphere MQ & TLS Heartbleed (CVE-2014-0160)
WMQ : http://www-01.ibm.com/support/docview.wss?uid=swg21669839
This vulnerability is known to affect the following offerings;
Support Pac MAT1 - WebSphere MQ client for HP Integrity NonStop Server
Eclipse Paho MQTT C Client - Linux & Windows |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Apr 11, 2014 6:10 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
What about WMB/IIB?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 11, 2014 6:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| What about WMB/IIB? |
AFAIK the SSL support inside WMB is IBM not based on OpenSSL but is one IBM wrote. Thank you for volunteering to raise a PMR to get a definite answer and posting it for the benefit of all.....
A passing IBM may wish to comment semi-definately
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Apr 11, 2014 6:17 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I am sure the IBM support centre is getting fed up with all the PMRs asking the same question!
Maybe someone who has already got the answer can share it?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 11, 2014 6:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| Maybe someone who has already got the answer can share it? |
| Vitor wrote: |
| ...and posting it for the benefit of all..... |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smeunier |
| Posted: Fri Apr 11, 2014 11:36 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Thanks for all this valuable information and pointer to blogs, etc. After self assessment, OpenSLL has not been used to generate ssl keys in our environment, but via the GSKit. All internet facing servers have been upgraded
with OpenSLL remediation patch.
Thanks again. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Apr 14, 2014 12:57 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
WMB and IIB are not affected by this.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 14, 2014 5:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
|
| Back to top |
|
|
|
|
