Re: Subversion and Heartbleed

From: Stefan Sperling <stsp_at_elego.de>
Date: Sun, 13 Apr 2014 13:45:59 +0200

On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote:
> I'm assuming that the vulnerability for particular httpd (Apache 2.x)
> web servers is *only* activated when the "mod_ssl" module is loaded,

Yes. The server must perform TLS negotiation using a vulnerable
OpenSSL version. Data leaked via heartbleed can come from unrelated
connections handled by the same server process, whether or not those
other connections use TLS.

> I've not seen any verification that proxies set for simple HTTP
> pass-through are vulnerable. I suspect they're safe, but I'd really
> like to have a test tool to verify this. Has anyone seen a Heartbleed
> test tool that will test HTTP sites, or HTTPS on ports other than 443?

There are published test scripts. You can edit them and change the port.
E.g. https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
will do what you want if you adjust the port number (and perhaps
simplify the argument processing such that the script probes a
single server specified on the command line).
Received on 2014-04-13 13:47:08 CEST

This message: [ Message body ]
Next message: Bert Huijben: "RE: svn commit: r1586922 - in /subversion/trunk/subversion: include/private/svn_io_private.h include/svn_types.h libsvn_subr/io.c libsvn_subr/stream.c"
Previous message: Nico Kadel-Garcia: "Re: Subversion and Heartbleed"
In reply to: Nico Kadel-Garcia: "Re: Subversion and Heartbleed"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]