Skip to content

Instantly share code, notes, and snippets.

@dolmen dolmen/README.md
Last active Aug 29, 2015

Embed
What would you like to do?
Check if your Perl 5 stack is vulnerable to the OpenSSL heartbleed bug

Check if your Perl stack is vulnerable to the OpenSSL « heartbleed » bug.

curl -s https://gist.githubusercontent.com/dolmen/10096474/raw/ssl-heartbleed-check.pl | perl
#!/usr/bin/env perl
use strict;
use warnings;
sub print_color (*$$)
{
my ($fh, $color, $text) = @_;
print $fh
-t $fh
? "\e[${color}m$text\e[m\n"
: "$text\n"
}
use Net::SSLeay ();
my $ssl_ver = Net::SSLeay::SSLeay();
my $ssl_ver_text = Net::SSLeay::SSLeay_version(0);
my $ssl_cflags = Net::SSLeay::SSLeay_version(2);
my $ssl_built_on = Net::SSLeay::SSLeay_version(3);
print "$ssl_ver_text\n";
printf "SSL version 0x%x %d.%d.%d%s\nCFLAGS=%s\nBUILT_ON=%s\n",
$ssl_ver,
($ssl_ver >> 28) & 0xff,
($ssl_ver >> 20) & 0xff,
($ssl_ver >> 12) & 0xff,
do { my $minor = ($ssl_ver >> 4) & 0xff; $minor ? chr(96+$minor) : '' },
$ssl_cflags,
$ssl_built_on;
# TODO : openssl may be dynamically linked, so the version reported by
# Net::SSLeay may not match the real version installed
if ( ($ssl_ver_text =~ /^OpenSSL 1\.0\.(?:1[a-f]?|2-beta1)(?:-fips)? /
|| ($ssl_ver >= 0x10001000 && $ssl_ver <= 0x1000106f) || $ssl_ver == 0x10002001)
&& $ssl_cflags !~ / -DOPENSSL_NO_HEARTBEATS /) {
(my $build_time = $ssl_built_on) =~ s/^[^:]*: *//;
my $recently_built = eval {
eval {
require POSIX;
POSIX::setlocale(POSIX::LC_TIME(), "C");
} or warn $@;
require Time::Piece;
my $t = Time::Piece->strptime($build_time, '%a %b %d %T UTC %Y');
#print $t->strftime("%Y-%m-%d"), "\n";
$t->epoch > 1396828800 # 2014-04-07 00:00:00
} or warn $@;
if ($recently_built) {
print_color \*STDERR, "1;33", "Version number indicates vulnerable, but your build is recent so may be patched.";
} else {
print_color \*STDERR, "1;31", "Vulnerable to heartbleed!";
}
exit 1;
} else {
#print_color \*STDOUT, "1;32", "Not vulnerable to heartbleed.";
print_color \*STDOUT, "1;33", "Maybe not vulnerable to heartbleed.";
}
@dolmen

This comment has been minimized.

Copy link
Owner Author

dolmen commented Apr 8, 2014

I just improved the check with an heuristic to detect patched versions.

@ironcamel

This comment has been minimized.

Copy link

ironcamel commented Apr 10, 2014

Time::Piece->strptime($build_time, '%a %b %d %T UTC %Y') fails if $build_time contains a time zone string other than UTC. Changing the format string to '%a %b %d %T %Z %Y' doesn't work either, whether the time string has UTC in it or not. Any ideas?

@ironcamel

This comment has been minimized.

Copy link

ironcamel commented Apr 11, 2014

A friend (@alnewkirk) showed me a workaround by using Time::ParseDate to parse the time string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.