heartbleed-247x300

A big and major issue on OpenSSL has been discovered and everybody is talking about it. To get more informations, there’s a website.

How to check the vulnerability, download this file:

chmod 755 ssltest.py

Now launch it:

./ssltest.py blog.deimos.fr
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 5559
... received message: type = 22, ver = 0302, length = 587
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
[...]
3ff0: 70 78 20 30 20 33 70 78 20 31 2E 35 65 6D 3B 6D px 0 3px 1.5em;m

WARNING: server returned more data than it should - server is vulnerable!

I was vulnerable as you can see. I deployed latest Debian OpenSSL packages, restarted Nginx and then relaunched the tool:

./ssltest.py wiki.deimos.fr -p 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 5559
... received message: type = 22, ver = 0302, length = 587
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable

Corrected :-). Now I’ve to regenerate my SSL certificates as I do not know if someone already stolen my private key :-(

Hope it will help you :-)