Educause Security Discussion mailing list archives
Re: Finding Servers Using OpenSSL SSL/TLS
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 11 Apr 2014 15:15:41 -0400
On Fri, 11 Apr 2014 18:24:33 -0000, "Scherck, Daniel" said:
The result should spit back a few lines listing the TLS Extensions detected on the server, and as long as there isn't one that says "heartbeat" you should be ok.
Note that there's two sets of patches on the loose - many vendors backported a quick-and-dirty patch that simply disables heartbeat. However, if your remediation was to upgrade to OpenSSL 1.0.1g, you have a heartbeat that includes the missing bounds check. So it *is* possible to false-positive - not all boxes that say "heartbeat" are in fact vulnerable.
Attachment:
_bin
Description:
Current thread:
- Re: Finding Servers Using OpenSSL SSL/TLS, (continued)
- Re: Finding Servers Using OpenSSL SSL/TLS Cheryl O'Dell (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)