openSSL heartbleed vulnerability - test with eapol_test?

Jouni Malinen j
Tue Apr 8 02:59:16 PDT 2014


On Tue, Apr 08, 2014 at 10:47:09AM +0200, Stefan Winter wrote:
> For web servers or any other "just normal TLS over TCP", there are
> already tests out there which help identify vulnerable TLS servers.
> 
> It is much more difficult to craft such a test for EAP.

I would not say it is more difficult, but clearly this is less common
use case for TLS.

> eapol_test is of course the best candidate - subtle modifications to
> include a heartbeat request immediately after completing the
> (server-cert only) handshake would enable testing for this.
> 
> I guess with code for "normal" TLS being out there, porting this to
> TLS-inside-EAP shouldn't be very hard... except that I can't write C
> very well.
> 
> Is there any chance such a test facility could be included into
> eapol_test? Or maybe a patch (no need to include this in mainstream
> releases)?

Yes, I was planning on implementing this in the reverse direction for
testing EAP peer side similarly to what I've already implemented for
number of other TLS issues. It should be straightforward to extend the
design to work against EAP server side as well so that this would be an
option in eapol_test.
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list