Create a gist now

Instantly share code, notes, and snippets.

@janl /
Last active Aug 29, 2015

What would you like to do?

How to run / yourself is a great service to the community.

I wouldn’t recommend testing hosts againt an online tool. All you do is create a log for a security savvy person with vulnerable hosts. While not quite the same, this is similar to uploading private keys or passwords to a service to check if they are secure.

Luckily it is easy to run the software locally, as the author was so kind to provide the source. I don’t read go very well, but a cursory glance suggests that the software does what it says on the tin, so we don’t worry about it phoning home.

This is the first time I’m building a go project, so I have to install go first. brew install go is easily done. You can get binary distributions for your OS from the go homepage:

Heartbleed depends on a few other modules and I’m sure there is a fancy module system I can use, but I have no time to learn that right now (comments are open :), so I’m patching the source a little (see below), to make source imports local. I also clone git clone into the Heartbleed top level directory.

See for how to install the dependencies.

To build the thing, run go build.

Then I can run Heartbleed locally without creating a log elsewhere:


> git diff
diff --git a/bleed.go b/bleed.go
index f017e57..aa36d40 100644
--- a/bleed.go
+++ b/bleed.go
@@ -1,7 +1,7 @@
 package main
 import (
-       bleed ""
+       bleed "./bleed"
diff --git a/bleed/heartbleed.go b/bleed/heartbleed.go
index afe8b41..cfd9dd1 100644
--- a/bleed/heartbleed.go
+++ b/bleed/heartbleed.go
@@ -4,8 +4,8 @@ import (
-       ""
-       ""
+       "../tls"
+       "../go-spew/spew"

janl commented Apr 8, 2014

fancy explains how to do this without patching the source via

Has anyone experienced false positives? I've got a hosting provider who says they've patched but it's still reporting as vulnerable with this tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment