[AusNOG] Heartbleed Bug
Mark Ashley
mark at ibiblio.org
Tue Apr 8 17:07:54 EST 2014
Depending on the testing methodology, you can get incorrect results too.
This command is floating around as a test at the moment:
% openssl s_client -connect yourhost.example.com:443 -tlsextdebug |& grep
'server extension "heartbeat" (id=15)' || echo safe
But it'll falsely report 'safe' when this occurs:
% openssl s_client -connect not-in-dns.example.com:443 -tlsextdebug
gethostbyname failure
connect:errno=0
On Tue, Apr 8, 2014 at 4:58 PM, Peter Tonoli <peter at medstv.unimelb.edu.au>wrote:
> Mea culpa.. The installed Debian package was unaffected, however the
> custom compiled NGinx had a vulnerable OpenSSL statically compiled (which
> is why I thought it was a false positive).
>
> ----- Original Message -----
> > From: "Nathan Brookfield" <Nathan.Brookfield at simtronic.com.au>
> > To: "Peter Tonoli" <peter at medstv.unimelb.edu.au>, "Tim Groeneveld" <
> tim at timg.ws>
> > Cc: ausnog at lists.ausnog.net
> > Sent: Tuesday, 8 April, 2014 3:20:49 PM
> > Subject: RE: [AusNOG] Heartbleed Bug
> > After some tests I just did, the site seems 100% correct over the 5 or
> > 6 boxes I just checked. I did have to restart the Apache daemon for
> > the updated packages to take affect though.
> >
> > -----Original Message-----
> > From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
> > Peter Tonoli
> > Sent: Tuesday, 8 April 2014 3:09 PM
> > To: Tim Groeneveld
> > Cc: ausnog at lists.ausnog.net
> > Subject: Re: [AusNOG] Heartbleed Bug
> >
> >
> > > ----- Original Message -----
> > > > Hi All,
> > > > Now the general public are aware of the Heartbleed bug
> > > > http://heartbleed.com/ for SSL does anyone have any information
> > > > about what routers/switches/load balancers network components may
> > > > be
> > > > linked with this effected library. I would think that the server
> > > > people would have this well in hand but perhaps we may be missing
> > > > some critical info of what's buried inside our network kit.
> > >
> > >
> > > You might find this handy:
> > >
> > > http://filippo.io/Heartbleed/
> >
> > I'm not entirely sure that it is handy. I've tested it on a host that
> > seems to be running a non-vulnerable version of OpenSSL, yet gets
> > flagged as being vulnerable on this site..
> >
> > --
> > Peter Tonoli < peter at medstv.unimelb.edu.au > +61-3-9288-2399 IT
> > Manager The University of Melbourne - Eastern Hill Academic Centre,
> > St. Vincent's Institute and O'Brien Institute
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
>
> --
> Peter Tonoli < peter at medstv.unimelb.edu.au > +61-3-9288-2399
> IT Manager
> The University of Melbourne - Eastern Hill Academic Centre, St. Vincent's
> Institute and O'Brien Institute
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140408/51cd69c6/attachment.html>
More information about the AusNOG
mailing list