Create a gist now

Instantly share code, notes, and snippets.

@janl /howto.md
Last active Aug 29, 2015

What would you like to do?

How to run http://filippo.io/Heartbleed/ / https://github.com/FiloSottile/Heartbleed yourself

http://filippo.io/Heartbleed/ is a great service to the community.

I wouldn’t recommend testing hosts againt an online tool. All you do is create a log for a security savvy person with vulnerable hosts. While not quite the same, this is similar to uploading private keys or passwords to a service to check if they are secure.

Luckily it is easy to run the software locally, as the author was so kind to provide the source. I don’t read go very well, but a cursory glance suggests that the software does what it says on the tin, so we don’t worry about it phoning home.

This is the first time I’m building a go project, so I have to install go first. brew install go is easily done. You can get binary distributions for your OS from the go homepage: https://code.google.com/p/go/downloads/list

Heartbleed depends on a few other modules and I’m sure there is a fancy module system I can use, but I have no time to learn that right now (comments are open :), so I’m patching the source a little (see below), to make source imports local. I also clone git clone https://github.com/davecgh/go-spew.git into the Heartbleed top level directory.

See https://gist.github.com/janl/10107626#comment-1207459 for how to install the dependencies.

To build the thing, run go build.

Then I can run Heartbleed locally without creating a log elsewhere:

./Heartbleed example.com:443

> git diff
diff --git a/bleed.go b/bleed.go
index f017e57..aa36d40 100644
--- a/bleed.go
+++ b/bleed.go
@@ -1,7 +1,7 @@
 package main
 
 import (
-       bleed "github.com/FiloSottile/Heartbleed/bleed"
+       bleed "./bleed"
        "log"
        "os"
 )
diff --git a/bleed/heartbleed.go b/bleed/heartbleed.go
index afe8b41..cfd9dd1 100644
--- a/bleed/heartbleed.go
+++ b/bleed/heartbleed.go
@@ -4,8 +4,8 @@ import (
        "bytes"
        "encoding/binary"
        "errors"
-       "github.com/FiloSottile/Heartbleed/tls"
-       "github.com/davecgh/go-spew/spew"
+       "../tls"
+       "../go-spew/spew"
        "time"
 )
Owner

janl commented Apr 8, 2014

fancy explains how to do this without patching the source via https://twitter.com/calavera/status/453496492377272320

Has anyone experienced false positives? I've got a hosting provider who says they've patched but it's still reporting as vulnerable with this tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment