That's because it only effected Debian and Ubuntu versions of OpenSSL.

RHEL was not impacted, because RHEL didn't break it in their packages. This was a very specific problem, caused by a very specific change made by a Debian developer to the Debian package. So, only Debian, and Ubuntu which is 90% the work of Debian developers, had the problem.

But, I do agree that the problem is possibly overblown. However, github reported seeing several identical keys from different people--which is a pretty serious problem. If that's the case in their relatively tiny userbase, then it would definitely be possible for a cracker to generate a few hundred keys using the buggy library, and then make a brute force attempt on millions of sites. They'd get a few hits, I reckon--though it would probably also take months. I don't know that any black hat will be determined enough to exploit this specific hole rather than going after lower hanging fruit (like Windows boxes running unpatched IE, Outlook, etc.) which can be found at a rate of hundreds or thousands per day of searching. But, if I had any keys impacted by this I would revoke them and make new ones. All of my keys, including the Virtualmin package signing keys, were made on Fedora systems.

There is only 1(ONE) !!!! SSL provider that is offering a replacement cert for free because of this.

Try to sell that to the other 10 billion debian users that use godaddy or other cert providers that wont.

A update to this.....

http://isc.sans.org/diary.html?storyid=4543

To quote:
So Where Are Those OpenSSH Key-based Attacks?

One of our readers contacted the handler on duty to see if we had seen any reports since then of active attacks concerning this attack vector. The standard SSH port (22/tcp) has been at normal levels for the past several weeks with one exception (on May 27-28) per the data at Dshield.

End quote

I told you it was all hype -- not one ssl site has been hacked nor has there been any significant reports about any type ssh/ssl hacking.

SteveACup wrote:
If I may add a few tidbits that may save someone like me a few hours:
...
2) if you already have a passworded private key file, use this command to remove the password: openssl rsa -in key.pem -out keyout.pem

Hope this helps someone

This helped me out. Thanks!

Another tidbit: If you do have your pem file passworded, you can do "/etc/rc5.d/S99webmin start" as root in the console and enter the PEM password to start webmin.

Hi Guys

I would really appreciate a 1.2.3 guide on how to set up TSL or SSL on postfix and dovecote to secure email on one virtual host. I have a godaddy ssl cert and have set up the domain to work on ssl. I have had a look about in the forums and in the Virtualmin docs and this topic seems a little light on documentation.

Cheers in advance for any pointers or input on this.

s

Well, Transmobius's message at the beginning of this thread should take you from start to finish on a GoDaddy SSL cert:

http://www.virtualmin.com/forums/general-discussion/godaddy-ssl-certificate.html#8412

I'm not sure if that information ever made it into the docs, but if not, it probably should :-)
-Eric