On 09/04/14 18:41, Colin Ryan wrote: > Folks, > > I understand clearly enough that determining your vulnerability to > Heartbleed is actually pretty straight forward, i.e. do you have and did > you compile with the affect OpenSSL lib's. > > However I have a few circumstances where I'd like to be able to > specifically confirm or deny the bleed. > > I've tried taking some of the openssl s_connect variations on a theme to > check a running instance of ovpn (with tls-auth disabled - just for > test) but all of these tools are based upon the interaction with a TCP > sockets on a WWW/Proxy server. > > For example I've taken this article. > > https://blog.ipredator.se/2014/04/how-to-test-if-your-openssl-heartbleeds.html > > which let's you very visibly verify if you have the issue. However I've > tried this technique against OVPN running both TCP and UDP (using the > -dtls1 switch on s_connect) however the negotiation of the connections > never seem to reveal the same amount of SSL / TLS information that these > techniques do when pointed to a web server. > > Any idea's on how one might be able to test specifically against a > running openvpn binary.
This is a tricky thing to do. As OpenVPN doesn't use a standard TLS wire protocol. It takes the TLS data and wraps it in its own wire protocol. This is to be able to support SSL/TLS over UDP (which back in 2002 was not possible otherwise, due to DTLS not having been "invented" yet). The easiest approach is probably to grep for "heartbeat" in libssl.so.*. If the OpenSSL version number is between 1.0.1 and 1.0.1f, then you are most likely vulnerable - unless you've applied distro updates which claims to fix this. The heartbeat feature is enabled by default in OpenSSL. So if you have other TCP based services running on that system (https, imap, pop3, smtp with starttls), it's easier to check if the library is vulnerable using the test script provided by fox-it: <http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/> To fully check if OpenVPN + OpenSSL is vulnerable, you need to comply with the OpenVPN wire protocol ... which might require far more efforts. So far I have not heard of anyone trying to do that ... but if others have, please enlighten us! -- kind regards, David Sommerseth -- kind regards, David Sommerseth ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
