OpenSSL HeartBleed (CVE-2014-0160)

Was my OpenSSL affected by the OpenSSL HeartBleed Bug (CVE-2014-0160)?

It really depends on your SSL termination setup.
If the SSL being terminated directly on your Apache server, then you should make sure your version being patch or not in the affected version.

Else if your SSL being terminated in Network Load Balancer like F5 LTM, you will need to check on the model you are using and the SSL mode being used.

You may find links above for steps on how to check.

How to test from remote?
Run below from client machine, if it returns “safe” means your version was not affected.
$ openssl s_client -connect  -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo safe


Or you can download the script from below and run:

[root@rhel6 test]# ./ -p 443
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 53
 ... received message: type = 22, ver = 0302, length = 3234
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable

More detailed info from Redhat can be fine here:

No comments: