Thanks Chris, fixed almost all the customers already, was just curious :)
2014-04-11 20:04 GMT+02:00 Chris Jones <ipv6fre...@gmail.com>: > Configuration is irrelevant. > > > On Fri, Apr 11, 2014 at 12:48 AM, Vincent Clement <vclement.m...@gmail.com > > wrote: > >> Confirm too, and I answer to myself: >> Made some tests with Heartbleed python scripts: >> It seems that when your realm/port require a client certificate, the SSL >> process stops if you have no certificate BEFORE the heartbleed issue can >> be >> exploited. >> >> Still need to upgrade, but depending on your configuration you may be less >> critically exposed. >> >> Vincent >> >> >> 2014-04-10 19:56 GMT+02:00 Dave Funk <dbf...@engineering.uiowa.edu>: >> >> > >> > Date: Thu, 10 Apr 2014 00:21:13 +0200 >> >> From: Vincent Clement <vclement.m...@gmail.com> >> >> To: Morgan McLean <wrx...@gmail.com> >> >> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> >> >> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed? >> >> Message-ID: >> >> <CAH1VrDYM8moOteD26Aq8wd9+sLM1u6KXb14p6SGZYNqO8VFPmA@ >> >> mail.gmail.com> >> >> >> >> >> >> Hello, >> >> Anyone here to confirm me how it works? >> >> I mean, i've looked after some heartbleed description, and i'm not sure >> >> when the issue can occurs: >> >> If i have certificate authentication on MAG, is this still vulnerable, >> or >> >> the attacker can't even start the SSL connection and go to the step >> where >> >> heartbeat occurs to have access to the issue? >> >> In the SSL/TLS process, I think the SSL session starts with the MAG >> server >> >> certificate sent to client, then ask for customer one. Is this >> sufficient >> >> to "launch" heartbleed for an attacker? >> >> >> >> Thanks, >> >> Vincent >> >> >> >> >> >> 2014-04-09 21:25 GMT+02:00 Morgan McLean <wrx...@gmail.com>: >> >> >> >> Just refer to their doc, our MAGs are vulnerable. All depends on the >> >>> software. >> >>> >> >>> Thanks, >> >>> Morgan >> >>> >> >> >> > I don't know the answer to your question but you can find out >> empirically >> > by using one of the online SSL testers on your MAG. The testers actually >> > try to >> > exercise the flaw (send a heartbeat request asking for more than they >> > should >> > be allowed to get) and if they succeed then you're at risk. >> > A good one is: https://www.ssllabs.com/ssltest/ >> > >> > I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper >> engineers >> > who >> > worked thru the night to create that release). >> > >> > >> > >> > -- >> > Dave Funk University of Iowa >> > <dbfunk (at) engineering.uiowa.edu> College of Engineering >> > 319/335-5751 FAX: 319/384-0549 1256 Seamans Center >> > Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 >> > #include <std_disclaimer.h> >> > Better is not better, 'standard' is better. B{ >> > _______________________________________________ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> >> >> >> -- >> Vincent Clément >> +33 6 74 49 66 30 >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > Chris Jones > JNCIE-ENT #272 > CCIE# 25655 (R&S) > -- Vincent Clément +33 6 74 49 66 30 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp