In response to the publication of a security flaw in the design of SSLv3, we have integrated TLS_FALLBACK_SCSV on our hosting platform and mailservers.

The flaw, dubbed POODLE in the announcement by the Google security team, allows a network attacker to force use of a less secure version of the protocol, making it easier to obtain the content of secure connections in plain text.

If for some reason you are not able to upgrade to a modern browser or operation system, you should take steps to protect yourself, such as disabling SSLv3 in your browser.

SSL 3.0 is already an obsolete protocol, so the vast majority of email clients will not notice any difference. However, some very old email clients, operating systems and browsers (Windows XP, IE6) may encounter issues. If you notice any problems connecting to our mailservers, please write to our support team with details.

For those interested in the technical details, there's some good reading over at Ars Technica (new window).

Note: We considered disabling SSLv3 on connections to via IMAP and POP3, but decided not to do so immediately. We will do so in the months to come, after taking steps to minimize the impact it will have on our customers' services.

A major vulnerability in the OpenSSL cryptographic software library has just been published (CVE-2014-0160). If you have a Gandi SSL certificate, please read this post carefully before taking action.

This flaw has existed for some time, and there is a possibility that X509/SSL private keys have been compromised undetectably.

This flaw is present in OpenSSL from version 1.0.1 up to and including 1.0.1f, referred to as the "heartbleed" bug (

If your servers are using an affected version of OpenSSL (If you aren't sure if your server is affected, you can try a tool like this one, not provided or tested by Gandi):

  • If you are using our SSL certificates on our PaaS platform (Simple Hosting) or via our web accelerator, you should know we fixed this vulnerability as soon as we were informed of it, and we will try to give further details about how your private keys could have been exposed by our platform.
  • If you are using our IaaS infrastructure (Gandi Cloud VPS), or that of another hosting provider, and your servers are using an affected version* of OpenSSL, you need to:
  1. Patch the openSSL version on any server you own and operate yourself by installing security updates provided in your package manager. (For example, on Debian, ensure you're using the official debian-security repository, then run `apt-get update` and `apt-get install openssl`, then restart all services that use SSL.)
  2. Generate new private keys and certificates to restore security of your services (see below if you're using a Gandi SSL certificate).
  • If you are using our SSL certificates, either on our infrastructure (on our PaaS/Simple Hosting instances) or on external services, then it is recommended that you regenerate a CSR and private key. Note: Do not revoke the certificate! Replaced certificates will be automatically revoked (see update below). If you revoke the certificate yourself, you will not be able to replace it afterwards, and you'll instead have to buy a new one.

Additional technical information is available in this GandiKitchen blog post.

========= Update 17 April 2014 =========

If you regenerated a Gandi SSL certificate between 8 and 17 April:

Many customers have regenerated their SSL certificates as a result of the Heartbleed bug. Until today, old certificates which were replaced with new, regenerated ones were not automatically revoked. Due to popular demand, we promised (here and here) to revoke the old certificates.

We sent an email this morning to users who have regenerated a Gandi SSL certificate between 8 and 17 April to notify you that your old certificates will be revoked in 24 hours. Your old certificate will be revoked on the morning of 18 April, Paris time (as early as 1am PST). If you have regenerated a certificate but have not yet installed it on your infrastructure, now is the time to do so!

If you intend to regenerate a Gandi SSL certificate in the future:

We have implemented automatic revocation, which means that from today forward, regenerated certificates will be automatically revoked 48 hours after the replacement certificate has been issued.

If you have questions, please contact support, or tweet us @gandibar.

Change the news ticker size