The bug is in the TLS implementation in OpenSSL, you will only see it on https
Sent from my iPhone > On Apr 8, 2014, at 4:43 AM, "Nik Mitev" <n...@mitev.net> wrote: > > I used the tool Kirils linked (http://possible.lv/tools/hb/) and my > unpatched servers running a Tor node or an Openvpn server returned > correct (old) version of openssl but not vulnerable. > Is it the bug or the tool that seems to be limited to https I wonder? > > Patched now so can't test with this tool... > > -----Original Message----- > From: Fraser Scott <fraser.sc...@gmail.com> > To: fulldisclosure@seclists.org > Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 > Date: Tue, 8 Apr 2014 10:24:02 +0100 > > This seems to be the best test so far: > > http://s3.jspenguin.org/ssltest.py > > Other tests false-positive on patched versions from what I can see. > > >> On 8 April 2014 01:10, Kirils Solovjovs <kirils.solovj...@kirils.com> wrote: >> >> We are doomed. >> >> Description: http://www.openssl.org/news/vulnerabilities.html >> Article dedicated to the bug: http://heartbleed.com/ >> Tool to check if TLS heartbeat extension is supported: >> http://possible.lv/tools/hb/ >> >> A missing bounds check in the handling of the TLS heartbeat extension >> can be used to reveal up to 64kB of memory to a connected client or server. >> >> 1.0.1[ abcdef] affected. >> >> >> P.S. Happy Monday! >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
