The Heartbleed bug in OpenSSL has been big news past week. The best overview of the issue I've seen so far has been by Troy Hunt: Everything you need to know about the Heartbleed SSL bug.
There are two places where SSL is used in Octopus Deploy:
- For Octopus server/Tentacle communication. We use the
SslStreamclass that is built into the .NET framework, which relies on
SChannelrather than OpenSSL.
- For the Octopus server web interface, which we allow you to host over HTTPS. This uses
HTTP.sys, the HTTP server component that IIS uses and is built into Windows, which again uses
SChanneland not OpenSSL.
You can read more about SChannel and IIS in the context of Heartbleed. Suffice it to say, there's nothing in Octopus that relies on OpenSSL. Since this is an implementation issue in OpenSSL and not a core problem of the SSL protocol, and no one has reported issues in Microsoft's implementation of SSL in SChannel, there doesn't seem to be any risk of Heartbleed in Octopus Deploy.