Educause Security Discussion mailing list archives

Re: Finding Servers Using OpenSSL SSL/TLS

From: Joseph Tam <tam () MATH UBC CA>
Date: Sat, 12 Apr 2014 00:18:42 -0700

(Sorry if this is a little stale -- I get this these Emails in digest form)

From:    "Pratt, Benjamin E." <bepratt () STCLOUDSTATE EDU>

What would be the best option for determining remotely whether a server uti=
lizes OpenSSL SSL/TLS for encrypting https traffic?


I don't know about "best", but I did a nmap sweep for vulnerable listening
ports, then followed up with the JSPenguin python script.

After that, I did it again for SSL enabled service SMTP/AUTH, POP3
and IMAP4.  Someone here asked for a STARTTLS version for those, I so
made a patched version of the above (I didn't use it since all of my
services have SSL direct ports).

It seems everybody is fixated on HTTPS ports, but these other services,
(and LDAP?) are just as vulnerable, and should not be forgotten.

From:    "Joel L. Rosenblatt" <joel () COLUMBIA EDU>

We have been running a ssltest python script (from
https://gist.github.com/jpicht/10114168) and verifying the results
with the http://filippo.io/Heartbleed web site


I also used the RedHat's version at

        https://access.redhat.com/labs/heartbleed/heartbleed-poc.py

The one at github seems easier to modify for testing POP3/TLS or IMAP/TLS
by modifying lines 136:

        # For POP3/TLS
        s.send("STLS\n")

        # For IMAP4/TLS
        s.send("x STARTTLS\n")

The Redhat version can also be modified, but you have to lobotomize the
SMTP code, because it parses the EHLO output to determine whether the
server supports STARTTLS.

From:    Christopher Jones <Christopher.Jones () UFV CA>

I am curious to know how everyone is communicating the Heartbleed issue to =
their respective user communities.  I am particularly interested in what my=
fellow Canadian universities are saying.


Same as the American version, but with hockey scores, eh.

Our campus put this out

        http://www.it.ubc.ca/openssl-vulnerability-heartbleed-bug

and I put out my own Email broadcast, but is was easier for me since
I had patched everything by that point.  However, once it hit the
popular media, I knew I had to get ahead of this issue, or get buried
by IT support mail.

The standard rules for mass communication applies: put the most information
up front, bury the technical details at the bottom, keep it simple.

Joseph Tam <tam () math ubc ca>

Current thread:

Re: Finding Servers Using OpenSSL SSL/TLS, (continued)
- - - Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
    - Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Paul Hanson (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joseph Tam (Apr 12)