Educause Security Discussion mailing list archives

Re: Finding Servers Using OpenSSL SSL/TLS

From: Peter Setlak <psetlak () COLGATE EDU>
Date: Fri, 11 Apr 2014 13:15:57 -0400

Along with watching for SSL traffic, we've been checking systems that may
have OpenSSL installed and running:

./openssl version

Hoping they come back 0.98 (or at least not 1.0.1[-f]).


On Fri, Apr 11, 2014 at 1:11 PM, Joel L. Rosenblatt <joel () columbia edu>wrote:

We have been running a ssltest python script (from
https://gist.github.com/jpicht/10114168) and verifying the results
with the http://filippo.io/Heartbleed web site

We have repaired all but 1 or 2 at this point - the process will keep
on running to catch new ones that will pop up

Thanks,
Joel


Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<%20212%20854%203033>
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Fri, Apr 11, 2014 at 12:52 PM, Steven Carmody
<steven_carmody () brown edu> wrote:

On 4/11/14 12:49 PM, Joel L. Rosenblatt wrote:


We keep a constantly updating list of any IP address that accepts
connections on port 443 using netflow information, we test them for
the Heartbleed bug and inform the machine owner if they have a problem


Can you provide any more detailing info about how you test machines for

the

Heartbleed vulnerability ? Are you looking at the headers that returned,

or

doing something else ?




-- 
Thank you,

Peter J. Setlak
Network Security Analyst, GSEC, GLEG, GCPM
Colgate University
---
psetlak () colgate edu
(315) 228-7151
Case-Geyer 450

Colgate IT Security - http://colgate.edu/itsecurity

Think *Green!* Please consider the environment before printing this email.


*Engage with Colgate University: *
News blog <http://blogs.colgate.edu/>,
Twitter<https://twitter.com/#%21/colgateuniv>
, Facebook <https://www.facebook.com/colgateuniversity>,
Google+<https://plus.google.com/u/0/b/113333907606560373469/>
, Delicious <http://www.delicious.com/colgatenewsmakers>,
YouTube<http://www.youtube.com/cuatchannel13>
, Flickr <http://www.flickr.com/photos/colgateuniversity/>,
Pinterest<http://pinterest.com/colgateuniv/>
, LinkedIn <http://www.linkedin.com/company/colgate-university/>

Current thread:

Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
  - Re: Finding Servers Using OpenSSL SSL/TLS Mike Cunningham (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Mally Mclane (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Cheryl O'Dell (Apr 11)
  - Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Paul Hanson (Apr 11)

(Thread continues...)