openSSL heartbleed vulnerability - test with eapol_test?

Jouni Malinen j
Tue Apr 8 14:00:38 PDT 2014

On Tue, Apr 08, 2014 at 04:40:07PM -0400, sven falempin wrote:
> On Tue, Apr 8, 2014 at 4:23 PM, Jouni Malinen <j at> wrote:
> > On Tue, Apr 08, 2014 at 05:51:08PM +0300, Jouni Malinen wrote:
> > > Anyway, it looks like misuse of OpenSSL APIs prevents most attack
> > > options for this case, so this may be somewhat less critical for EAP
> > > servers compared to other uses of TLS. I tested with couple RADIUS
> > > authentication servers and could not trigger the issue due to reasons
> > > that I confirmed to be because of incorrect OpenSSL API use..  (For
> > > completeness, I did fix one such case to verify that the test tool works
> > > and to confirm that this was indeed "safer" due to incorrect API use.).

> I used a hostapd with a static openssl , hopeully radius is elsewhere

If it was not clear enough, that comment about misuse of OpenSSL APIs is
very much applicable to hostapd-as-EAP-server, i.e., it does not really
seem to be capable of running through a TLS exchange that includes a
heartbeat. Not really a good thing in general, but in this specific
case, it looks like it prevents hitting this OpenSSL issue if hostapd
was the authentication server (but much more common setup is to use an
external authentication server).

> if i am thorough i should regenerate all certificate of clients because
> this machine hosted
> an https website

That is a much more likely attack vector for this issue than TLS within
EAP methods taken into account various constraints on message sizes.
Not that it would be impossible to implement EAP-PEAP/TTLS in a way
that would provide full exposure to this issue, but I have not yet found
such a server implementation. Or well, I did make one myself for test
use by fixing the bugs mentioned above, but I'm not planning on
committing those fixes for now. :)
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list