Educause Security Discussion mailing list archives

Re: Finding Servers Using OpenSSL SSL/TLS

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 11 Apr 2014 15:15:41 -0400

On Fri, 11 Apr 2014 18:24:33 -0000, "Scherck, Daniel" said:

The result should spit back a few lines listing the TLS Extensions detected
on the server, and as long as there isn't one that says "heartbeat" you should
be ok.


Note that there's two sets of patches on the loose - many vendors
backported a quick-and-dirty patch that simply disables heartbeat.
However, if your remediation was to upgrade to OpenSSL 1.0.1g, you
have a heartbeat that includes the missing bounds check.  So it *is*
possible to false-positive - not all boxes that say "heartbeat" are
in fact vulnerable.

Attachment: _bin
Description:

Current thread:

Re: Finding Servers Using OpenSSL SSL/TLS, (continued)
- - - Re: Finding Servers Using OpenSSL SSL/TLS Cheryl O'Dell (Apr 11)
  - Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Paul Hanson (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joseph Tam (Apr 12)