subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@elego.de>
Subject Re: Subversion and Heartbleed
Date Sun, 13 Apr 2014 11:45:59 GMT
On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote:
> I'm assuming that the vulnerability for particular httpd (Apache 2.x)
> web servers is *only* activated when the "mod_ssl" module is loaded,

Yes. The server must perform TLS negotiation using a vulnerable
OpenSSL version. Data leaked via heartbleed can come from unrelated
connections handled by the same server process, whether or not those
other connections use TLS.

> I've not seen any verification that proxies set for simple HTTP
> pass-through are vulnerable. I suspect they're safe, but I'd really
> like to have a test tool to verify this. Has anyone seen a Heartbleed
> test tool that will test HTTP sites, or HTTPS on ports other than 443?

There are published test scripts. You can edit them and change the port.
E.g. https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
will do what you want if you adjust the port number (and perhaps
simplify the argument processing such that the script probes a
single server specified on the command line).

Mime
View raw message