Educause Security Discussion mailing list archives
Re: Finding Servers Using OpenSSL SSL/TLS
From: Danny Schales <dan () LATECH EDU>
Date: Fri, 11 Apr 2014 15:53:20 -0500
On 04/11/2014 13:24, Scherck, Daniel wrote:
You can check for the basic heartbeat vulnerability using an OpenSSL client, presuming you can hit the server from your location: openssl s_client –connect <servername>:443 -tlsextdebug | grep “server extens”** * * The result should spit back a few lines listing the TLS Extensions detected on the server, and as long as there isn’t one that says “heartbeat” you should be ok.
Note: This only works using an openssl client that has support for the heartbeat extension. If you run it using a version prior to 1.0.1, then you won't see the heartbeat extension and will think you are safe, when in fact you are not. Run the test from a system running 1.0.1g. and just grep heart :) Danny Schales Louisiana Tech University
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Finding Servers Using OpenSSL SSL/TLS, (continued)
- Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)