Educause Security Discussion mailing list archives
Re: Finding Servers Using OpenSSL SSL/TLS
From: Cheryl O'Dell <cherylo () UNL EDU>
Date: Fri, 11 Apr 2014 20:14:51 +0000
Ben, We used NMAP to quickly find all of our susceptible server (script we got from the SANS webcast a couple of nights ago) and are reaching out to system owners to tell them to patch/restart/new SSL certs. Cheryl O Cheryl O'Dell, CISSP Sr. Information Security Analyst University of Nebraska/Lincoln 126 501 Building, 68588-0203 (402) 472-7851 cherylo () unl edu Information Technology Services Reliable. Resourceful. Relevant.
On Fri, Apr 11, 2014 at 11:33 AM, Pratt, Benjamin E. <bepratt () stcloudstate edu> wrote:Good morning everyone. The question: What would be the best option for determining remotely whether a server utilizes OpenSSL SSL/TLS for encrypting https traffic? The background: I'm hoping the list can provide a little assistance in dealing with the aftermath of the Heartbleed vulnerability. The good news is a scan of our campus network indicates that we are nearly fully patched. The bad news is that not all of the https servers utilizing OpenSSL SSL/TLS are centrally controlled. This means that we don't know which servers were patched before our first scan and therefore where all of the servers that were vulnerable, over the past two years, are located. I am attempting to put together options that include changing out SSL certificates and notifying users of previously vulnerable systems to update passwords. If I am able to provide more specific information about the scope of our endeavor it would certainly be an added value. Thank you, Ben -- Benjamin Pratt St. Cloud State University
Current thread:
- Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Mike Cunningham (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Mally Mclane (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Cheryl O'Dell (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Mike Cunningham (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)