On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote: > I'm assuming that the vulnerability for particular httpd (Apache 2.x) > web servers is *only* activated when the "mod_ssl" module is loaded,
Yes. The server must perform TLS negotiation using a vulnerable OpenSSL version. Data leaked via heartbleed can come from unrelated connections handled by the same server process, whether or not those other connections use TLS. > I've not seen any verification that proxies set for simple HTTP > pass-through are vulnerable. I suspect they're safe, but I'd really > like to have a test tool to verify this. Has anyone seen a Heartbleed > test tool that will test HTTP sites, or HTTPS on ports other than 443? There are published test scripts. You can edit them and change the port. E.g. https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py will do what you want if you adjust the port number (and perhaps simplify the argument processing such that the script probes a single server specified on the command line).
