Cowboy in the desert.

Heartbleed and Octopus Deploy

The Heartbleed bug in OpenSSL has been big news past week. The best overview of the issue I've seen so far has been by Troy Hunt: Everything you need to know about the Heartbleed SSL bug.

There are two places where SSL is used in Octopus Deploy:

  • For Octopus server/Tentacle communication. We use the SslStream class that is built into the .NET framework, which relies on SChannel rather than OpenSSL.
  • For the Octopus server web interface, which we allow you to host over HTTPS. This uses HTTP.sys, the HTTP server component that IIS uses and is built into Windows, which again uses SChannel and not OpenSSL.

You can read more about SChannel and IIS in the context of Heartbleed. Suffice it to say, there's nothing in Octopus that relies on OpenSSL. Since this is an implementation issue in OpenSSL and not a core problem of the SSL protocol, and no one has reported issues in Microsoft's implementation of SSL in SChannel, there doesn't seem to be any risk of Heartbleed in Octopus Deploy.