Confirm too, and I answer to myself: Made some tests with Heartbleed python scripts: It seems that when your realm/port require a client certificate, the SSL process stops if you have no certificate BEFORE the heartbleed issue can be exploited.
Still need to upgrade, but depending on your configuration you may be less critically exposed. Vincent 2014-04-10 19:56 GMT+02:00 Dave Funk <dbf...@engineering.uiowa.edu>: > > Date: Thu, 10 Apr 2014 00:21:13 +0200 >> From: Vincent Clement <vclement.m...@gmail.com> >> To: Morgan McLean <wrx...@gmail.com> >> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> >> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed? >> Message-ID: >> <CAH1VrDYM8moOteD26Aq8wd9+sLM1u6KXb14p6SGZYNqO8VFPmA@ >> mail.gmail.com> >> >> >> Hello, >> Anyone here to confirm me how it works? >> I mean, i've looked after some heartbleed description, and i'm not sure >> when the issue can occurs: >> If i have certificate authentication on MAG, is this still vulnerable, or >> the attacker can't even start the SSL connection and go to the step where >> heartbeat occurs to have access to the issue? >> In the SSL/TLS process, I think the SSL session starts with the MAG server >> certificate sent to client, then ask for customer one. Is this sufficient >> to "launch" heartbleed for an attacker? >> >> Thanks, >> Vincent >> >> >> 2014-04-09 21:25 GMT+02:00 Morgan McLean <wrx...@gmail.com>: >> >> Just refer to their doc, our MAGs are vulnerable. All depends on the >>> software. >>> >>> Thanks, >>> Morgan >>> >> > I don't know the answer to your question but you can find out empirically > by using one of the online SSL testers on your MAG. The testers actually > try to > exercise the flaw (send a heartbeat request asking for more than they > should > be allowed to get) and if they succeed then you're at risk. > A good one is: https://www.ssllabs.com/ssltest/ > > I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper engineers > who > worked thru the night to create that release). > > > > -- > Dave Funk University of Iowa > <dbfunk (at) engineering.uiowa.edu> College of Engineering > 319/335-5751 FAX: 319/384-0549 1256 Seamans Center > Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 > #include <std_disclaimer.h> > Better is not better, 'standard' is better. B{ > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Vincent Clément +33 6 74 49 66 30 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp