Re: OpenSSL Security Advisory
http://filippo.io/Heartbleed/#www.unlocator.com On Wed, Apr 9, 2014 at 2:05 PM, Ted Byers wrote: > How do I determine whether or not the web servers I run are affected? > They are Apache 2.4, built for 64 bit Windows and downloaded from > Apachelounge. I have no idea what version of openssl it was built with. > Does anyone here know if the feature that introduces the risk can be turned > off, without introducing other risks? If so, how? > > Also, could the security keys we bought have been compromised? > > Any advice on how I can protect my servers better would be appreciated. > > Thanks > > Ted > > -- > R.E.(Ted) Byers, Ph.D.,Ed.D. > > > On Mon, Apr 7, 2014 at 4:31 PM, OpenSSL wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> OpenSSL Security Advisory [07 Apr 2014] >> >> >> TLS heartbeat read overrun (CVE-2014-0160) >> == >> >> A missing bounds check in the handling of the TLS heartbeat extension can >> be >> used to reveal up to 64k of memory to a connected client or server. >> >> Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including >> 1.0.1f and 1.0.2-beta1. >> >> Thanks for Neel Mehta of Google Security for discovering this bug and to >> Adam Langley and Bodo Moeller for >> preparing the fix. >> >> Affected users should upgrade to OpenSSL 1.0.1g. Users unable to >> immediately >> upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. >> >> 1.0.2 will be fixed in 1.0.2-beta2. >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.11 (GNU/Linux) >> >> iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV >> sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/ >> QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn >> zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC >> LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg >> GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/ >> OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF >> Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty >> zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG >> aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za >> S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd >> J37YgDNuefzrsA+B5/o7 >> =szjb >> -END PGP SIGNATURE- >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > > >
Re: commands to get info from intermediate certificates
Thanks Florian I did go ahead and parsed them, I last question please, in a chain sometimes only the intermediate certificates are returned and at other times the intermediate chains and the root certificate is returned, at least based on digcerts ssl testing utility, how can I differ between an intermediate certificate and a root certificate ? Regards On Sun, Nov 11, 2012 at 10:01 PM, Florian Weimer wrote: > * Ali Jawad: > >> For example in the below : >> >> echo "" | openssl s_client -CAfile ./mozilla-root.crt -showcerts >> -connect ssl.com:443 | openssl x509 -text >> >> will only show the issuer/dates/etc information for the first >> certificate ssl.com and not for the subsequent certificates in the >> chain. > > I think you have to copy them manually from the output. > > If you want to do this programmatically, you should establish a TLS > connection, use the SSL_get_peer_cert_chain function to obtain the > certificates, and use the X509_* functions to extract the data you > need. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: commands to get info from intermediate certificates
For example in the below : echo "" | openssl s_client -CAfile ./mozilla-root.crt -showcerts -connect ssl.com:443 | openssl x509 -text will only show the issuer/dates/etc information for the first certificate ssl.com and not for the subsequent certificates in the chain. Regards Will only show the info On Sun, Nov 11, 2012 at 8:15 PM, Ali Jawad wrote: > Hi Florian > Thank you for the response, the problem for me is that openssl > s_client -showcerts only shows two certificates while the actual > number of chain entries is 3, this is what is confusing me. > Regards > > On Sun, Nov 11, 2012 at 7:16 PM, Florian Weimer wrote: >> * Ali Jawad: >> >>> When I do visit a website using a browser and check the certificate I >>> can see the intermediate certificates and the info of those >>> certificates. >>> >>> I am wondering how can I see that info using command line, i know how >>> to display the certificate info and it shows the info of the >>> intermediate certificates such as issuer name and subject name, but >>> how exactly can I get the info of that intermediate certificate to >>> check expiry date and other information. >> >> You can use the PEM-encoded certificates printed by "openssl s_client >> -showcerts" as input to "openssl x509 -noout -text". >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: commands to get info from intermediate certificates
Hi Florian Thank you for the response, the problem for me is that openssl s_client -showcerts only shows two certificates while the actual number of chain entries is 3, this is what is confusing me. Regards On Sun, Nov 11, 2012 at 7:16 PM, Florian Weimer wrote: > * Ali Jawad: > >> When I do visit a website using a browser and check the certificate I >> can see the intermediate certificates and the info of those >> certificates. >> >> I am wondering how can I see that info using command line, i know how >> to display the certificate info and it shows the info of the >> intermediate certificates such as issuer name and subject name, but >> how exactly can I get the info of that intermediate certificate to >> check expiry date and other information. > > You can use the PEM-encoded certificates printed by "openssl s_client > -showcerts" as input to "openssl x509 -noout -text". > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: commands to get info from intermediate certificates
Any input on this please ? On Fri, Nov 9, 2012 at 11:17 PM, Ali Jawad wrote: > Hi > When I do visit a website using a browser and check the certificate I > can see the intermediate certificates and the info of those > certificates. > > I am wondering how can I see that info using command line, i know how > to display the certificate info and it shows the info of the > intermediate certificates such as issuer name and subject name, but > how exactly can I get the info of that intermediate certificate to > check expiry date and other information. > > Please advice __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
