[somesay]

Test tool: http://filippo.io/Heartbleed/ (not mine)

[Obscure]

I have to say I'm wary of using this for any servers I control; what if they turn out to be vulnerable and this page is just collecting a list of machines to examine in detail later?

Has anyone found an offline tool for checking this?

[ushi]

Go to the repo[0], download the code, read the code, execute.

[0] https://github.com/FiloSottile/Heartbleed

[Obscure]

Great, thank you. Just realised the repo is linked from the page too (I didn't stay long enough to spot it last time).

[sepeth]

https://gist.github.com/sh1n0b1/10100394

[solarexplorer]

find /usr/lib -name libssl* -print

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable

[Obscure]

Thanks, but I have already installed an updated package [0] that is supposed to fix it but doesn't bump the version number, so I'd like a direct check, just to quell my internal raving paranoid :)

[0] http://lists.centos.org/pipermail/centos-announce/2014-April...

[smtddr]

https://news.ycombinator.com/item?id=7551489 https://github.com/titanous/heartbleeder

pikachu@BATTLEGYM ~/heartbleeder $ date

Tue Apr 8 05:43:57 PDT 2014

pikachu@BATTLEGYM ~/heartbleeder $ ./heartbleeder mail.yahoo.com

INSECURE - mail.yahoo.com:443 has the heartbeat extension enabled and is vulnerable

.....huh....I bet I know what security breach article I'll be reading in the next few days.

[oakwhiz]

This test tool doesn't seem to work properly on servers using self-signed certificates.