1

In light of the recent heartbleed flaw, I am trying to do some analysis of various systems that I connect with (email, login pages, etc). I am trying to use the OpenSSL commandline tool to verify what protocols the systems I connect with are using.

Part of the response is:

...
SSL-Session:
    Protocol  : TLSv1
...

Is that all I need to verify that this service is not using Openssl (particularly the buggy 1.0.1 versions)? (I am thinking that it ISN'T enough, as I connected with a server that I KNOW is using Openssl 0.9.8 and it responded with the same string as shown above.)

4

1 回答 1

2

TLSv1 指的是协议 TLS 版本 1,而 openssl、NSS、GnuTLS、PolarSSL ... 是协议的实现。您通常无法仅从正常的 TLS 对话框中检测到哪个 SSL 实现或哪个版本的实现在另一端运行,因此您最好使用任何可用的工具来检查服务器是否易受攻击。

您可以尝试使用 的-tlsextdebug选项openssl s_client来找出对方支持的 TLS 扩展。易受攻击的版本通常表明它们支持心跳扩展,但我不会指望它。当然,固定版本也支持这个扩展。如果宣传了对扩展的支持,您可以在以下输出中找到openssl s_client -tlsextdebug -connect ...

TLS 服务器扩展 "heartbeat" (id=15), len=1

于 2014-04-13T17:29:28.560 回答