Hello:
I am the current maintainer of Crypt::SSLeay which provides HTTPS
support using OpenSSL to LWP::UserAgent.
In version 0.65_13, I added the plumbing and a test to check if the
OpenSSL library against which Crypt::SSLeay was being built was
vulnerable to the Heartbleed Bug.
As of now, there
On Thu, Apr 17, 2014 at 11:15 AM, Reini Urban wrote:
> Someone already created a simple heardbleed testcase for openssl:
> http://marc.info/?l=openssl-dev&m=139746949222785&w=2
The test depends on an internal header, ssl/ssl_locl.h, which does not
get installed in the openssl include directory.
On 04/17/2014 05:27 AM, Olivier Mengué wrote:
The ultimate heartbleed check would be implemented using a BIO_s_mem()
(which means, without using sockets or any file descriptor).
If someone is tempted by the task, the ssl/ssltest.c example of OpenSSL
may help to see how to use BIO.
http://git.open
The ultimate heartbleed check would be implemented using a BIO_s_mem()
(which means, without using sockets or any file descriptor).
If someone is tempted by the task, the ssl/ssltest.c example of OpenSSL may
help to see how to use BIO.
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=ssl/sslte
On Thu, Apr 17, 2014 at 5:18 AM, Aristotle Pagaltzis wrote:
> * Olivier Mengué [2014-04-17 10:45]:
>> Many Linux distribution will add a patch over the existing OpenSSL
>> code, without changing the version number.
>
> Or they recompile the library with the OPENSSL_NO_HEARTBEATS defined –
> no pa
* Olivier Mengué [2014-04-17 10:45]:
> Many Linux distribution will add a patch over the existing OpenSSL
> code, without changing the version number.
Or they recompile the library with the OPENSSL_NO_HEARTBEATS defined –
no patches even necessary.
> A proper check for heartbleed would really te
Unfortunately this test may give false positives because it is based only
on the version number.
Many Linux distribution will add a patch over the existing OpenSSL code,
without changing the version number.
Also the version check doesn't seem to work correctly because it is mostly
an API version mo
*** Apologies if this message arrives on the mailing list twice, it's
been about 45 minutes since I sent the first one, so I am assuming
something went wrong with that ***
Hello:
I am the current maintainer of Crypt::SSLeay which provides HTTPS
support using OpenSSL to LWP::UserAgent.
In version
