Thanks Rich, I have obtained the new, patched, release of Apache from Apache lounge, and applied the patch to one server, which the online services say fix the problem on it, but your simple way of checking still says heartbeating at the end. Does that mean that the patch didn't truly work?
I get the heartbeating message on both unpatched and patched servers. Should that make me worry about the patched machines? Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. On Wed, Apr 9, 2014 at 9:54 AM, Salz, Rich <rs...@akamai.com> wrote: > Ø How do I determine whether or not the web servers I run are affected? > > > > Here's a simple way: > > echo B | openssl s_client -connect $HOST:$PORT > > if you see "heartbeating" at the end, then $HOST is vulnerable. > > > > How can you tell if private keys have been taken? You can't, really. You > can estimate the likelihood by looking closely at how OpenSSL_Malloc() > return values are used and layed out. The risk is that an allocated > ssl-record buffer is right up against a private key being stored. > > > > /r$ > > > > -- > > Principal Security Engineer > > Akamai Technology > > Cambridge, MA > > >