The ultimate heartbleed check would be implemented using a BIO_s_mem() (which means, without using sockets or any file descriptor). If someone is tempted by the task, the ssl/ssltest.c example of OpenSSL may help to see how to use BIO. http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=ssl/ssltest.c;hb=HEAD
2014-04-17 12:06 GMT+02:00 A. Sinan Unur <na...@cpan.org>: > On Thu, Apr 17, 2014 at 5:18 AM, Aristotle Pagaltzis <pagalt...@gmx.de> > wrote: > > * Olivier Mengué <olivier.men...@gmail.com> [2014-04-17 10:45]: > >> Many Linux distribution will add a patch over the existing OpenSSL > >> code, without changing the version number. > > > > Or they recompile the library with the OPENSSL_NO_HEARTBEATS defined – > > no patches even necessary. > > True, and I do check that via a call to SSLeay_version(SSLEAY_CFLAGS) > if the version number is one of the vulnerable ones. I can add an > additional check for build date after the announcement. > > >> A proper check for heartbleed would really test the implementation > >> using real calls to the openssl API, exchanging real packets, using > >> inspiration from PaceMaker. > >> https://github.com/Lekensteyn/pacemaker > > > > Indeed. > > That actually is not too hard to convert to Perl, but for now I am > going to stick with the version + cflags + build date heuristic. For > something like this false positives seem better than false negatives. > > Thank you Aristotle and Olivier for your feedback. > > -- Sinan >
