Re: [exim-dev] heartbleed detection

Top Pagina
Delete this message
Reply to this message
Auteur: Phil Pennock
Datum:  
Aan: Wolfgang Breyha
CC: exim-dev
Onderwerp: Re: [exim-dev] heartbleed detection
On 2014-04-09 at 14:26 +0200, Wolfgang Breyha wrote:
> I patched my exim to detect heartbleed attacks/checks. The patch is quick and
> dirty and not intended for HEAD or inexperienced users. That's why I post it
> only here. Don't know the impact of setting a tls_msg_callback on the
> performance yet.


Note that to have a detection feature of "someone tried it", we'd
probably also want support in GnuTLS to detect the attack probes. But
otherwise, I'm happy with this as an EXPERIMENTAL_HEARTBLEED_DETECT
feature, as long as we're clear that the goal is to remove it down the
line, instead of integrate it. I also think that you'll get a lot of
noise in the logs, akin unto web-server logs recording people searching
for exploitable PHP scripts.

Probably of most use for Universities who want to be able to have
someone in Security knock on a student's door to have a quiet discussion
about wise decisions and their future.

Probably best to just deploy a fixed OpenSSL and verify that running
"exim -d --version" shows the new OpenSSL Runtime version.

-Phil