Date: Thu, 10 Apr 2014 00:21:13 +0200
From: Vincent Clement <vclement.m...@gmail.com>
To: Morgan McLean <wrx...@gmail.com>
Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?
Message-ID:
<cah1vrdym8mooted26aq8wd9+slm1u6kxb14p6sgzynqo8vf...@mail.gmail.com>
Hello,
Anyone here to confirm me how it works?
I mean, i've looked after some heartbleed description, and i'm not sure
when the issue can occurs:
If i have certificate authentication on MAG, is this still vulnerable, or
the attacker can't even start the SSL connection and go to the step where
heartbeat occurs to have access to the issue?
In the SSL/TLS process, I think the SSL session starts with the MAG server
certificate sent to client, then ask for customer one. Is this sufficient
to "launch" heartbleed for an attacker?
Thanks,
Vincent
2014-04-09 21:25 GMT+02:00 Morgan McLean <wrx...@gmail.com>:
Just refer to their doc, our MAGs are vulnerable. All depends on the
software.
Thanks,
Morgan
I don't know the answer to your question but you can find out empirically
by using one of the online SSL testers on your MAG. The testers actually try to
exercise the flaw (send a heartbeat request asking for more than they should
be allowed to get) and if they succeed then you're at risk.
A good one is: https://www.ssllabs.com/ssltest/
I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper engineers who
worked thru the night to create that release).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
