search

FiloSottile / Heartbleed

A checker (site and tool) for CVE-2014-0160
http://filippo.io/Heartbleed
MIT License
2.31k stars 465 forks source link

Broken pipe output shows for a website which doesn't accept Heartbit #63

Open ankit249 opened 10 years ago

ankit249 commented 10 years ago

Hi Fillipo,

Your program gives following output for this website.

$$ > bin/Heartbleed myprint-online.com:443 2014/04/11 23:36:42 myprint-online.com:443 - ERROR: write tcp 70.91.223.11:443: broken pipe

Whereas when i send the heartbit thru openssl it says the server cannot accept heartbit connection.

$ openssl s_client -connect myprint-online.com:443

New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 29090000B3F468F2377A97B3837AA15E1EB19F581C67103CDA7C764190B9ECA1 Session-ID-ctx: Master-Key: 1329CF7427D367D3D8A9DA107B0EB5696A7C635E4C2B7CE84E857BB74C72CFDB5FDC38591392F0B2E8A22455D282BD70 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1397259160 Timeout : 300 (sec)

Verify return code: 0 (ok)

B HEARTBEATING 139922322958152:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:t1_lib.c:2574:

yakatz commented 10 years ago

Your site is running Microsoft IIS and therefore is not vulnerable to an OpenSSL bug. I will submit a PR to update the README with a link to the FAQ which explains this.

ankit249 commented 10 years ago

Hi Yehuda,

Thanks for your response. Is it proven or documented somewhere that all versions of latest IIS running on every possible Windows OS is not vulnerable to Heartbleed?

Also are you giving broken pipe error because of no openssl present on that server? On Apr 13, 2014 7:15 AM, "Yehuda Katz" notifications@github.com wrote:

Your site is running Microsoft IIS and therefore is not vulnerable to an OpenSSL bug. I will submit a PR to update the README with a link to the FAQ which explains this.

Reply to this email directly or view it on GitHubhttps://github.com/FiloSottile/Heartbleed/issues/63#issuecomment-40308517 .

yakatz commented 10 years ago

No version of IIS uses OpenSSL (http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx).

The broken pipe error is just a side effect of the IIS implementation of SSL.