[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion and Heartbleed

From: Stefan Sperling <stsp_at_elego.de>
Date: Sun, 13 Apr 2014 13:45:59 +0200

On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote:
> I'm assuming that the vulnerability for particular httpd (Apache 2.x)
> web servers is *only* activated when the "mod_ssl" module is loaded,

Yes. The server must perform TLS negotiation using a vulnerable
OpenSSL version. Data leaked via heartbleed can come from unrelated
connections handled by the same server process, whether or not those
other connections use TLS.

> I've not seen any verification that proxies set for simple HTTP
> pass-through are vulnerable. I suspect they're safe, but I'd really
> like to have a test tool to verify this. Has anyone seen a Heartbleed
> test tool that will test HTTP sites, or HTTPS on ports other than 443?

There are published test scripts. You can edit them and change the port.
E.g. https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
will do what you want if you adjust the port number (and perhaps
simplify the argument processing such that the script probes a
single server specified on the command line).
Received on 2014-04-13 13:47:08 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.