I have to say I'm wary of using this for any servers I control; what if they turn out to be vulnerable and this page is just collecting a list of machines to examine in detail later?
Has anyone found an offline tool for checking this?
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Thanks, but I have already installed an updated package [0] that is supposed to fix it but doesn't bump the version number, so I'd like a direct check, just to quell my internal raving paranoid :)
It's kind of ironic that there are going to be NSA employees who are pissed that this got out. Here's a rewrite once the variable being the elephant in the room is plugged in:
"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeart Extension packets, which allows the NSA to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c"
14 comments
[ 3.5 ms ] story [ 53.2 ms ] threadHas anyone found an offline tool for checking this?
[0] https://github.com/FiloSottile/Heartbleed
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
[0] http://lists.centos.org/pipermail/centos-announce/2014-April...
pikachu@BATTLEGYM ~/heartbleeder $ date
Tue Apr 8 05:43:57 PDT 2014
pikachu@BATTLEGYM ~/heartbleeder $ ./heartbleeder mail.yahoo.com
INSECURE - mail.yahoo.com:443 has the heartbeat extension enabled and is vulnerable
.....huh....I bet I know what security breach article I'll be reading in the next few days.
"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeart Extension packets, which allows the NSA to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c"