> ----- Forwarded message from "Salz, Rich" <rs...@akamai.com> ----- > > Date: Wed, 9 Apr 2014 09:54:25 -0400 > From: "Salz, Rich" <rs...@akamai.com> > To: "openssl-users@openssl.org" <openssl-users@openssl.org> > Subject: RE: OpenSSL Security Advisory > > Ø How do I determine whether or not the web servers I run are affected? > > Here's a simple way: > echo B | openssl s_client -connect $HOST:$PORT > if you see "heartbeating" at the end, then $HOST is vulnerable. > > How can you tell if private keys have been taken? You can't, really. You can > estimate the likelihood by looking closely at how OpenSSL_Malloc() return > values are used and layed out. The risk is that an allocated ssl-record > buffer is right up against a private key being stored. > > /r$
Hello Rich, Can you please post a "good" and a "bad" server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: $ echo B | openssl s_client -connect akamai.com:https ... Verify return code: 20 (unable to get local issuer certificate) --- HEARTBEATING 675358796:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c:2562: Thanks for clarification. matthias -- Sent from my FreeBSD netbook Matthias Apitz, <g...@unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org