Educause Security Discussion mailing list archives
Re: Finding Servers Using OpenSSL SSL/TLS
From: Joseph Tam <tam () MATH UBC CA>
Date: Sat, 12 Apr 2014 00:18:42 -0700
(Sorry if this is a little stale -- I get this these Emails in digest form) From: "Pratt, Benjamin E." <bepratt () STCLOUDSTATE EDU>
What would be the best option for determining remotely whether a server uti= lizes OpenSSL SSL/TLS for encrypting https traffic?
I don't know about "best", but I did a nmap sweep for vulnerable listening ports, then followed up with the JSPenguin python script. After that, I did it again for SSL enabled service SMTP/AUTH, POP3 and IMAP4. Someone here asked for a STARTTLS version for those, I so made a patched version of the above (I didn't use it since all of my services have SSL direct ports). It seems everybody is fixated on HTTPS ports, but these other services, (and LDAP?) are just as vulnerable, and should not be forgotten. From: "Joel L. Rosenblatt" <joel () COLUMBIA EDU>
We have been running a ssltest python script (from https://gist.github.com/jpicht/10114168) and verifying the results with the http://filippo.io/Heartbleed web site
I also used the RedHat's version at https://access.redhat.com/labs/heartbleed/heartbleed-poc.py The one at github seems easier to modify for testing POP3/TLS or IMAP/TLS by modifying lines 136: # For POP3/TLS s.send("STLS\n") # For IMAP4/TLS s.send("x STARTTLS\n") The Redhat version can also be modified, but you have to lobotomize the SMTP code, because it parses the EHLO output to determine whether the server supports STARTTLS. From: Christopher Jones <Christopher.Jones () UFV CA>
I am curious to know how everyone is communicating the Heartbleed issue to = their respective user communities. I am particularly interested in what my= fellow Canadian universities are saying.
Same as the American version, but with hockey scores, eh. Our campus put this out http://www.it.ubc.ca/openssl-vulnerability-heartbleed-bug and I put out my own Email broadcast, but is was easier for me since I had patched everything by that point. However, once it hit the popular media, I knew I had to get ahead of this issue, or get buried by IT support mail. The standard rules for mass communication applies: put the most information up front, bury the technical details at the bottom, keep it simple. Joseph Tam <tam () math ubc ca>
Current thread:
- Re: Finding Servers Using OpenSSL SSL/TLS, (continued)
- Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)