> ----- Forwarded message from "Salz, Rich" <[email protected]> -----
>
> Date: Wed, 9 Apr 2014 09:54:25 -0400
> From: "Salz, Rich" <[email protected]>
> To: "[email protected]" <[email protected]>
> Subject: RE: OpenSSL Security Advisory
>
> Ø How do I determine whether or not the web servers I run are affected?
>
> Here's a simple way:
> echo B | openssl s_client -connect $HOST:$PORT
> if you see "heartbeating" at the end, then $HOST is vulnerable.
>
> How can you tell if private keys have been taken? You can't, really. You can
> estimate the likelihood by looking closely at how OpenSSL_Malloc() return
> values are used and layed out. The risk is that an allocated ssl-record
> buffer is right up against a private key being stored.
>
> /r$
Hello Rich,
Can you please post a "good" and a "bad" server example. I have tested a
lot of servers, including 'akamai.com', and they all show HEARTBEATING
at the end:
$ echo B | openssl s_client -connect akamai.com:https
...
Verify return code: 20 (unable to get local issuer certificate)
---
HEARTBEATING
675358796:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does
not accept
heartbearts:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c:2562:
Thanks for clarification.
matthias
--
Sent from my FreeBSD netbook
Matthias Apitz, <[email protected]>, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
