<p dir="ltr">Also, from what ive seen that test is rubbish as it doesn't take into account packages with a backported fix.</p>
<p dir="ltr">The online test actually does a memory read of what it has already sent, which validates real vulnerability.</p>
<div class="gmail_quote">On 08/04/2014 5:08 pm, "Mark Ashley" <<a href="mailto:mark@ibiblio.org">mark@ibiblio.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Depending on the testing methodology, you can get incorrect results too. This command is floating around as a test at the moment:<br><br>% openssl s_client -connect <a href="http://yourhost.example.com:443" target="_blank">yourhost.example.com:443</a> -tlsextdebug |& grep 'server extension "heartbeat" (id=15)' || echo safe<br>
<br></div>But it'll falsely report 'safe' when this occurs:<br><br>% openssl s_client -connect <a href="http://not-in-dns.example.com:443" target="_blank">not-in-dns.example.com:443</a> -tlsextdebug <br>gethostbyname failure<br>
connect:errno=0<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 4:58 PM, Peter Tonoli <span dir="ltr"><<a href="mailto:peter@medstv.unimelb.edu.au" target="_blank">peter@medstv.unimelb.edu.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mea culpa.. The installed Debian package was unaffected, however the custom compiled NGinx had a vulnerable OpenSSL statically compiled (which is why I thought it was a false positive).<br>
<br>
----- Original Message -----<br>
> From: "Nathan Brookfield" <<a href="mailto:Nathan.Brookfield@simtronic.com.au" target="_blank">Nathan.Brookfield@simtronic.com.au</a>><br>
> To: "Peter Tonoli" <<a href="mailto:peter@medstv.unimelb.edu.au" target="_blank">peter@medstv.unimelb.edu.au</a>>, "Tim Groeneveld" <<a href="mailto:tim@timg.ws" target="_blank">tim@timg.ws</a>><br>
> Cc: <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br>
> Sent: Tuesday, 8 April, 2014 3:20:49 PM<br>
> Subject: RE: [AusNOG] Heartbleed Bug<br>
> After some tests I just did, the site seems 100% correct over the 5 or<br>
> 6 boxes I just checked. I did have to restart the Apache daemon for<br>
> the updated packages to take affect though.<br>
><br>
> -----Original Message-----<br>
> From: AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of<br>
> Peter Tonoli<br>
> Sent: Tuesday, 8 April 2014 3:09 PM<br>
> To: Tim Groeneveld<br>
> Cc: <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br>
> Subject: Re: [AusNOG] Heartbleed Bug<br>
><br>
><br>
> > ----- Original Message -----<br>
> > > Hi All,<br>
> > > Now the general public are aware of the Heartbleed bug<br>
> > > <a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a> for SSL does anyone have any information<br>
> > > about what routers/switches/load balancers network components may<br>
> > > be<br>
> > > linked with this effected library. I would think that the server<br>
> > > people would have this well in hand but perhaps we may be missing<br>
> > > some critical info of what's buried inside our network kit.<br>
> ><br>
> ><br>
> > You might find this handy:<br>
> ><br>
> > <a href="http://filippo.io/Heartbleed/" target="_blank">http://filippo.io/Heartbleed/</a><br>
><br>
> I'm not entirely sure that it is handy. I've tested it on a host that<br>
> seems to be running a non-vulnerable version of OpenSSL, yet gets<br>
> flagged as being vulnerable on this site..<br>
<span><font color="#888888">><br>
> --<br>
> Peter Tonoli < <a href="mailto:peter@medstv.unimelb.edu.au" target="_blank">peter@medstv.unimelb.edu.au</a> > <a href="tel:%2B61-3-9288-2399" value="+61392882399" target="_blank">+61-3-9288-2399</a> IT<br>
> Manager The University of Melbourne - Eastern Hill Academic Centre,<br>
> St. Vincent's Institute and O'Brien Institute<br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
--<br>
Peter Tonoli < <a href="mailto:peter@medstv.unimelb.edu.au" target="_blank">peter@medstv.unimelb.edu.au</a> > <a href="tel:%2B61-3-9288-2399" value="+61392882399" target="_blank">+61-3-9288-2399</a><br>
IT Manager<br>
The University of Melbourne - Eastern Hill Academic Centre, St. Vincent's Institute and O'Brien Institute<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</font></span></blockquote></div><br></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div>