[erlang-questions] Does Erlang/OTP SSL app have heartbleed vulnerability?
Alex Wilson
alex@REDACTED
Wed Apr 9 10:43:46 CEST 2014
On 8 Apr 2014, at 5:54 pm, Ingela Andin <ingela.andin@REDACTED> wrote:
> You are correct the heartbeat extension is not currently supported, but will likely be implemented in the future. As far as I understood the OpenSSL bug is du to a memory boundary problem,
> which really is not a problem you have when you use Erlang to write your code :)
After reading this, I went away and wrote a basic implementation of the Heartbeat extension -- just to learn to understand the extension thoroughly and be able to write a checker in Erlang that looks for the vulnerability. I've attached the patch in case it might be useful to someone out there, and a simple escript to use the (internal API) heartbeat function to check for Heartbleed on a host. Patch is against R16B03-1, but should apply cleanly on R17 and probably other R16 releases. (the whitespace is probably messed up though, might need -l to patch)
Now you can use Erlang to check your other servers for it instead of horrible Python code ;) (it's more robust than many of the Python/go checkers too, since it borrows the full SSL implementation that's already there instead of hard-coded Hello packets and other things)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-heartbeat.patch
Type: application/octet-stream
Size: 16885 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140409/00de641c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: heartbreaker.erl
Type: application/octet-stream
Size: 4443 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140409/00de641c/attachment-0001.obj>
More information about the erlang-questions
mailing list