Was
my OpenSSL affected by the OpenSSL HeartBleed Bug (CVE-2014-0160)?
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://www.inmotionhosting.com/support/website/security/protect-data-fix-openssl-heartbleed-bug
https://www.nccgroup.com/en/blog/2014/04/heartbleed-openssl-vulnerability/
https://www.nccgroup.com/en/blog/2014/04/heartbleed-openssl-vulnerability/
It really depends on your SSL termination setup.
If the SSL being terminated directly on your Apache server, then you should make sure your version being patch or not in the affected version.
Else if your SSL being terminated in Network Load Balancer like F5 LTM, you will need to check on the model you are using and the SSL mode being used.
You may find links above for steps on how to check.
How to test from remote?
Run below from client machine, if it
returns “safe” means your version was not affected.
$ openssl s_client -connect www.coursera.org:443 -tlsextdebug 2>&1 | grep 'server
extension "heartbeat" (id=15)' || echo safe
safe
|
Or you can download the script from below and run:
https://gist.github.com/takeshixx/10107280
https://gist.github.com/takeshixx/10107280
[root@rhel6 test]# ./hb-test.py -p 443 www.hlb.com.my
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received
message: type = 22, ver = 0302, length = 53
... received
message: type = 22, ver = 0302, length = 3234
... received
message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed
connection
No heartbeat response received, server likely not
vulnerable
|
More detailed info from Redhat can be fine here:
https://access.redhat.com/site/articles/786463
https://access.redhat.com/site/articles/786463
No comments:
Post a Comment