openSSL heartbleed vulnerability - test with eapol_test?
Tue Apr 8 14:00:38 PDT 2014
On Tue, Apr 08, 2014 at 04:40:07PM -0400, sven falempin wrote:
> On Tue, Apr 8, 2014 at 4:23 PM, Jouni Malinen <j at w1.fi> wrote:
> > On Tue, Apr 08, 2014 at 05:51:08PM +0300, Jouni Malinen wrote:
> > > Anyway, it looks like misuse of OpenSSL APIs prevents most attack
> > > options for this case, so this may be somewhat less critical for EAP
> > > servers compared to other uses of TLS. I tested with couple RADIUS
> > > authentication servers and could not trigger the issue due to reasons
> > > that I confirmed to be because of incorrect OpenSSL API use.. (For
> > > completeness, I did fix one such case to verify that the test tool works
> > > and to confirm that this was indeed "safer" due to incorrect API use.).
> I used a hostapd with a static openssl , hopeully radius is elsewhere
If it was not clear enough, that comment about misuse of OpenSSL APIs is
very much applicable to hostapd-as-EAP-server, i.e., it does not really
seem to be capable of running through a TLS exchange that includes a
heartbeat. Not really a good thing in general, but in this specific
case, it looks like it prevents hitting this OpenSSL issue if hostapd
was the authentication server (but much more common setup is to use an
external authentication server).
> if i am thorough i should regenerate all certificate of clients because
> this machine hosted
> an https website
That is a much more likely attack vector for this issue than TLS within
EAP methods taken into account various constraints on message sizes.
Not that it would be impossible to implement EAP-PEAP/TTLS in a way
that would provide full exposure to this issue, but I have not yet found
such a server implementation. Or well, I did make one myself for test
use by fixing the bugs mentioned above, but I'm not planning on
committing those fixes for now. :)
Jouni Malinen PGP id EFC895FA
More information about the Hostap