Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

How to Test & Fix Heart Bleed SSL Vulnerabilities?

Heartbleed
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Is your website safe from Heartbleed Bug?

The Heartbleed bug is a severe OpenSSL vulnerability in the cryptographic software library.  This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.

Detailed information about the Heartbleed bug can be found here. 

In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.

Status of different OpenSSL versions:-

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If you are using F5 to offload SSL – you can refer here to check if it’s vulnerable.

Heartbleed Testing Tools

SSL Labs

One of the popular SSL Server Test by Qualys scan the target for more than 50 TLS/SSL related known vulnerabilities, including Heartbleed. On the test result page, you should see something like below.

ssl-labs

TLS Scanner

TLS Scanner by Geekflare lets you quickly test your website for misconfiguration and common security flaws.

geekflare-tls-scan-result

OpenSSL

If you are testing internal sites or don’t want to use a cloud-based scanner, then you can use OpenSSL. The following command should help you with that.

echo "QUIT"|openssl s_client -connect facebook.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe

Example:

[root@lab ~]# echo "QUIT"|openssl s_client -connect geekflare.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe
safe
[root@lab ~]#

You are going to replace geekflare.com:443 with your site.

Fixing Heartbleed

Fixing is quite straightforward. There are two things you got to do to fix it.

  • Upgrade OpenSSL to 1.o.1g or higher version.
  • Regenerate the CSR using an upgraded version of OpenSSL and get it signed by a certificate authority. Once you receive the signed certificate, implement that on your respective web servers or edge devices.

I hope this helps you.

Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder