> ----- Forwarded message from "Salz, Rich" <rs...@akamai.com> -----
> 
> Date: Wed, 9 Apr 2014 09:54:25 -0400
> From: "Salz, Rich" <rs...@akamai.com>
> To: "openssl-users@openssl.org" <openssl-users@openssl.org>
> Subject: RE: OpenSSL Security Advisory
> 
> Ø  How do I determine whether or not the web servers I run are affected?
> 
> Here's a simple way:
>                 echo B | openssl s_client -connect $HOST:$PORT
> if you see "heartbeating" at the end, then $HOST is vulnerable.
> 
> How can you tell if private keys have been taken?  You can't, really. You can 
> estimate the likelihood by looking closely at how OpenSSL_Malloc() return 
> values are used and layed out.  The risk is that an allocated ssl-record 
> buffer is right up against a private key being stored.
> 
>                 /r$

Hello Rich,

Can you please post a "good" and a "bad" server example. I have tested a
lot of servers, including 'akamai.com', and they all show HEARTBEATING
at the end:

$ echo B | openssl s_client -connect akamai.com:https
...
    Verify return code: 20 (unable to get local issuer certificate)
    ---
    HEARTBEATING
    675358796:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does
    not accept
    
heartbearts:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c:2562:

Thanks for clarification.

        matthias

-- 
Sent from my FreeBSD netbook

Matthias Apitz, <g...@unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to