openSSL heartbleed vulnerability - test with eapol_test?

Tue Apr 8 01:47:09 PDT 2014

Hi,

we folks from eduroam are really concerned about the news on the openssl
Heartbleed vulnerability.

With TLS being used for many EAP types, and with EAP being wrapped
inside RADIUS, it is well possible that a malicious supplicant can get
all the way through IDS/firewalls right into the (otherwise protected)
EAP server and read all its secrets.

For web servers or any other "just normal TLS over TCP", there are
already tests out there which help identify vulnerable TLS servers.

It is much more difficult to craft such a test for EAP.

eapol_test is of course the best candidate - subtle modifications to
include a heartbeat request immediately after completing the
(server-cert only) handshake would enable testing for this.

I guess with code for "normal" TLS being out there, porting this to
TLS-inside-EAP shouldn't be very hard... except that I can't write C
very well.

Is there any chance such a test facility could be included into
eapol_test? Or maybe a patch (no need to include this in mainstream
releases)?

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140408/a2cb4ad7/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140408/a2cb4ad7/attachment.pgp>