On Thu, Apr 17, 2014 at 5:18 AM, Aristotle Pagaltzis <pagalt...@gmx.de> wrote: > * Olivier Mengué <olivier.men...@gmail.com> [2014-04-17 10:45]: >> Many Linux distribution will add a patch over the existing OpenSSL >> code, without changing the version number. > > Or they recompile the library with the OPENSSL_NO_HEARTBEATS defined – > no patches even necessary.
True, and I do check that via a call to SSLeay_version(SSLEAY_CFLAGS) if the version number is one of the vulnerable ones. I can add an additional check for build date after the announcement. >> A proper check for heartbleed would really test the implementation >> using real calls to the openssl API, exchanging real packets, using >> inspiration from PaceMaker. >> https://github.com/Lekensteyn/pacemaker > > Indeed. That actually is not too hard to convert to Perl, but for now I am going to stick with the version + cflags + build date heuristic. For something like this false positives seem better than false negatives. Thank you Aristotle and Olivier for your feedback. -- Sinan
