Skip to content

Instantly share code, notes, and snippets.

@janl

janl/howto.md

Last active August 29, 2015 13:58
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save janl/10107626 to your computer and use it in GitHub Desktop.
Save janl/10107626 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
howto.md

How to run http://filippo.io/Heartbleed/ / https://github.com/FiloSottile/Heartbleed yourself

http://filippo.io/Heartbleed/ is a great service to the community.

I wouldn’t recommend testing hosts againt an online tool. All you do is create a log for a security savvy person with vulnerable hosts. While not quite the same, this is similar to uploading private keys or passwords to a service to check if they are secure.

Luckily it is easy to run the software locally, as the author was so kind to provide the source. I don’t read go very well, but a cursory glance suggests that the software does what it says on the tin, so we don’t worry about it phoning home.

This is the first time I’m building a go project, so I have to install go first. brew install go is easily done. You can get binary distributions for your OS from the go homepage: https://code.google.com/p/go/downloads/list

Heartbleed depends on a few other modules and I’m sure there is a fancy module system I can use, but I have no time to learn that right now (comments are open :), so I’m patching the source a little (see below), to make source imports local. I also clone git clone https://github.com/davecgh/go-spew.git into the Heartbleed top level directory.

See https://gist.github.com/janl/10107626#comment-1207459 for how to install the dependencies.

To build the thing, run go build.

Then I can run Heartbleed locally without creating a log elsewhere:

./Heartbleed example.com:443

> git diff
diff --git a/bleed.go b/bleed.go
index f017e57..aa36d40 100644
--- a/bleed.go
+++ b/bleed.go
@@ -1,7 +1,7 @@
 package main
 
 import (
-       bleed "github.com/FiloSottile/Heartbleed/bleed"
+       bleed "./bleed"
        "log"
        "os"
 )
diff --git a/bleed/heartbleed.go b/bleed/heartbleed.go
index afe8b41..cfd9dd1 100644
--- a/bleed/heartbleed.go
+++ b/bleed/heartbleed.go
@@ -4,8 +4,8 @@ import (
        "bytes"
        "encoding/binary"
        "errors"
-       "github.com/FiloSottile/Heartbleed/tls"
-       "github.com/davecgh/go-spew/spew"
+       "../tls"
+       "../go-spew/spew"
        "time"
 )
@janl
Copy link
Author

janl commented Apr 8, 2014

Alternative: https://github.com/titanous/heartbleeder via https://twitter.com/germanstudent/status/453479816533381120

@janl
Copy link
Author

janl commented Apr 8, 2014

Alternative http://s3.jspenguin.org/ssltest.py via https://twitter.com/zakx/status/453481347181719552

@janl
Copy link
Author

janl commented Apr 8, 2014

fancy explains how to do this without patching the source via https://twitter.com/calavera/status/453496492377272320

@unclespeedo
Copy link

Has anyone experienced false positives? I've got a hosting provider who says they've patched but it's still reporting as vulnerable with this tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment