heartbleed-bug | 易学教程

Is SSL_CTX_set_options() the reason why OpenSSL folk used a compile time OPENSSL_NO_HEARTBEATS to disable TLSv1 Heartbeats?

阅读更多关于 Is SSL_CTX_set_options() the reason why OpenSSL folk used a compile time OPENSSL_NO_HEARTBEATS to disable TLSv1 Heartbeats?

问题 Soon after learning that recompiling with -DOPENSSL_NO_HEARTBEATS will disable TLSv1 Heartbeats in OpenSSL 1.0.1e, I wondered why it was not a run-time option instead, maybe called something like SSL_OP_NO_TLS_HEARTBEATS. Therefore I looked into SSL.H and discovered that 'options' is an unsigned long bitmask, which would be 32 or 64 bits depending on the compiling platform/mode, but it seemed that the OpenSSL code assumes is 32 bits, and -more importantly- it means it only has 32 possible

Does memory protection protect servers from the heartbleed exploit?

阅读更多关于 Does memory protection protect servers from the heartbleed exploit?

问题 I understand that the heartbleed-bug allows a remote attacker to read memory from your machine. Is this mitigated by memory protection? For example, if I have a public-facing https webserver, any webserver traffic and data is obviously compromised, as well as any information accessible using credentials sent over the webserver. But what about other processes on the same box? If I was running bash locally from the console, far from ssl? 回答1: According to the site Heartbleed only affects

Do openssl-1.0.1g has android platform support?

阅读更多关于 Do openssl-1.0.1g has android platform support?

问题 Because of the heartbleed issue in some versions of OpenSSL, I need to update my OpenSSL version to openssl-1.0.1g. Does it has support for android platform? If yes, can somebody suggest me about the building procedures? I couldn't compile the source for android platform. Any kind suggestion is highly appreciated. Note: I will use openssl for android-ndk 回答1: Do openssl-1.0.1g has android platform support? Yes. Go to OpenSSL and Android and fetch setenv-android.sh Ensure ANDROID_NDK_ROOT is

HeartBleed python test script

阅读更多关于 HeartBleed python test script

问题 I came across this Python script that tests the server for the HeartBleed vulnerability: Would someone be able to explain the content of the "hello", what is being sent and how was this content constructed? I am not trying to use this script maliciously. I was asked to test a Tomcat 7.0.2 server for the vulnerability: I verified that tcnative-1.dll does use openssl 1.0.1d, but a few of the standalone test tools that I tried testing the server with report that it is not vulnerable. 回答1: hello

openssl Heart bleed Vulnerability

阅读更多关于 openssl Heart bleed Vulnerability

问题 After SSL installation I found that my website is having Heart bleed Vulnerability . I am using openssl 1.0.1.6 . When I am referred some sources it is showing that I need to update my openssl version and need to create new private key and then need to do all the procedures for SSL certificate . I do not know the SSL certificate vendor will re-issue the SSL certificate again. Is there any other solution to solve it? Is there any patches available?Please help guys? 回答1: I was using old version

Is the heartbleed bug a manifestation of the classic buffer overflow exploit in C?

阅读更多关于 Is the heartbleed bug a manifestation of the classic buffer overflow exploit in C?

问题 In one of our first CS lectures on security we were walked through C's issue with not checking alleged buffer lengths and some examples of the different ways in which this vulnerability could be exploited. In this case, it looks like it was a case of a malicious read operation, where the application just read out however many bytes of memory Am I correct in asserting that the Heartbleed bug is a manifestation of the C buffer length checking issue? Why didn't the malicious use cause a

How do I enable EVP functions in openssl?

阅读更多关于 How do I enable EVP functions in openssl?

I am trying to update my web server to the latest openssl with the heartbleed patch ( 1.0.1g ). I grabbed the tarball from openssl.org. Said the usual ./configure; make; make install . Had to say config shared to get it to make the .so file ( by default it only generates the .a ). Updated the link in /usr/lib64 to point to the new .so - Now httpd fails to run with the following complaint: /usr/sbin/httpd: symbol lookup error: /usr/lib64/libssl.so.1: undefined symbol: EVP_idea_cbc nm -g | grep idea says: U EVP_idea_cbc ... so it knows about the symbol, but the symbol is undefined. Openssl

How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

阅读更多关于 How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade. It includes this advice: To verify which version of the OpenSSL library you link to Ruby, use the following: ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)' To verify the version of OpenSSL currently installed with Ruby, use the following: ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' What is the difference between these two checks, and what action is recommended if a bad version is

How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

阅读更多关于 How can I ensure that Ruby uses an OpenSSL not vulnerable to Heartbleed?

问题 Following the Heartbleed bug, this post on ruby-lang.org describes how to check vulnerability and upgrade. It includes this advice: To verify which version of the OpenSSL library you link to Ruby, use the following: ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)' To verify the version of OpenSSL currently installed with Ruby, use the following: ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' What