The Heartbleed bug in OpenSSL has been big news past week. The best overview of the issue I've seen so far has been by Troy Hunt: Everything you need to know about the Heartbleed SSL bug.

There are two places where SSL is used in Octopus Deploy:

  • For Octopus server/Tentacle communication. We use the SslStream class that is built into the .NET framework, which relies on SChannel rather than OpenSSL.
  • For the Octopus server web interface, which we allow you to host over HTTPS. This uses HTTP.sys, the HTTP server component that IIS uses and is built into Windows, which again uses SChannel and not OpenSSL.

You can read more about SChannel and IIS in the context of Heartbleed. Suffice it to say, there's nothing in Octopus that relies on OpenSSL. Since this is an implementation issue in OpenSSL and not a core problem of the SSL protocol, and no one has reported issues in Microsoft's implementation of SSL in SChannel, there doesn't seem to be any risk of Heartbleed in Octopus Deploy.


Octopus Deploy is used by thousands of developers across the globe, from small companies to large enterprises. Find out if it meets your deployment automation needs by taking advantage of our free 30-day trial. You can spin up an instance with just a few clicks!

Security