How to Test & Fix Heart Bleed SSL Vulnerabilities?

Does your website safe from Heartbleed Bug?

The Heartbleed bug is a severe OpenSSL vulnerability in the cryptographic software library. 

This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.

Detailed information about Heartbleed bug can be found here. 

In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.

Status of different OpenSSL versions:-

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If you are using F5 to offload SSL – you can refer here to check if it’s vulnerable.

Heartbleed Testing Tools

Filippo – You can either test by domain name or IP address with secure port.

SSL Labs – Qualys have also included in their SSL scan tool to test if the given URL is vulnerable to the heartbleed attack. 

OpenSSL – You can also test locally on a server using OpenSSL command as follows.

echo "QUIT"|openssl s_client -connect 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe

Obviously, you are going to replace with your site.

Fixing Heartbleed

Fixing is quite straightforward. There are two things you got to do to fix it.

  1. Upgrade OpenSSL to 1.o.1g or higher version.
  2. Regenerate the CSR using an upgraded version of OpenSSL and get it signed by a certificate authority. Once you receive the signed certificate, implement that on your respective web servers.

I hope this helps you.

Leave a Comment

Your email address will not be published. Required fields are marked *