Closed florianrein closed 2 years ago
Hey, for the heartbleed vulnerability, uncertain means that TLS-Attacker wasn't even able to finish the handshake with the server and send the heartbeat messages to test for heartbleed. But you are correct, we should add a sentence or two explaining the situation.
We moved the heartbleed scans (and in fact all scans) to TLS-Scanner (https://github.com/tls-attacker/TLS-Scanner), where we have more fine grained control over the response from the test. Our next version (TLS-Scanner 4.3.0) can completely explain itself. Sadly this feature didn't make it into 4.2.0. Closing this here
Hello tls-attacker team, in a recent evaluation run, we got the following result for a heartbleed check as the last line in the log file:
Vulnerable: Uncertain
The remaining log file did not contain any hints about why it could not be determined, whether the server is affected. We ran the experiment with debug logs on, but still no hints on the uncertainty. This left us a little... uncertain..., how to handle the case. :-)
tls-attacker should print a few explanatory sentences, about why it could not be determined, whether the target server is affected or not, after printing the result as seen above.