OpenSSL and Heart Bleed Vuln

From what are you running this bash?

From my workstation

The string just before the pipe symbol is translated. It should be 2>&1 to tie stderr to stdout.

squip ... this is a nice command you pasted warning... for clarification though... i think the source workstation you are testing must not be running 0.9.8 ... i.e. ... i think your testing workstation should ideally be running OpenSSL 1.0.1 ... otherwise your script will report safe when you are not running out of time patching stuff... but, the command you provided could probably be altered to check the local version of openssl first... then test the remote site to check

Thanks for that Frank - Looks the forums translated as literal HTML, I have corrected it (the code block isn't that user friendly). @ionepoch - I don't think it should matter, it's only checking for the TLS server extension so it should be agnostic of the version running locally I would have thought...

I tried openssl s_client -connect google.com:443 -tlsextdebug -> got "TLS server extension "heartbeat" (id=15), len=1" I have done a doublecheck with http://filippo.io/Heartbleed/google.com:443 -> got "All good, google.com:443 seems not affected!" So I am not sure which tool I should trust? Any further ideas ?

It just means that they are returning the Heartbeat TLS Extension, but are not necessarily vulnerable... It was just a quick check prior to these PoC sites turning up. I used it to scan through all my sites to check if I return that extension, if I did I did more investigation to see if I need to Patch OpenSSL :)

@squip Here's a test from a linux box with openssl 1.0.1 (i.e. shows that google could have a problem if they haven't upgraded openssl): openssl s_client -connect google.com:443 -tlsextdebug 2>&1 | less CONNECTED(00000003) TLS server extension "renegotiation info" (id=65281), len=1 0001 - TLS server extension "EC point formats" (id=11), len=4 0000 - 03 00 01 02 .... TLS server extension "session ticket" (id=35), len=0 TLS server extension "heartbeat" (id=15), len=1 0000 - 01 . depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate ... And here's from a Mac OSX Mavericks 0.9.8 (i.e. does not show the problem): openssl s_client -connect google.com:443 -tlsextdebug 2>&1 | less CONNECTED(00000003) TLS server extension "renegotiate" (id=65281), len=1 0001 - depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate ... Long story short... I really think you need to test with openssl 1.0.1 to detect the problem (or... perhaps there are some extra command line arguments to throw at openssl to force the communication to use a certain protocol / cipher etc)

Very interesting, thanks for the update - I appreciate it! I'm using this now https://gist.github.com/takeshixx/10107280

To better automate, the following alteration to the above s_client command may be useful: [code]echo "QUIT"|openssl s_client -connect google.com:443 -tlsextdebug 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe[/code] Or, if you're like me, and want to check all the places you frequent: [code]for s in amazon.com google.com gmail.com secure.supersecret.com:4443; do pt=`echo "$s"|cut -d: -sf2`; [ -z "$pt" ] && pa=':443' || pa=''; echo "QUIT"|openssl s_client -connect $s$pa -tlsextdebug 2>&1|grep 'server extension "heartbeat" (id=15)' >/dev/null && echo -e "VULN\t$s" || echo -e "safe\t$s"; done[/code] Obviously the domains are just for example. Make sure the domains used are those actually in use on the secure version of the website (it isn't always www.mydomain.com, sometimes the secure site is on, or login is handled via, another domain). Lastly, it worked for me. Hope it works for you. Provided as-is.