Heartbleed -service=smtp smtp.office365.com:587
2014/04/11 10:17:51 smtp.office365.com:587 - ERROR: Server does not support STARTTLS (503 5.5.2 Send hello first)

There's a link to GitHub, but not a direct link to the testing site.

Without support for STARTTLS it's not possible to test for protocol such as SMTP, POP3, IMAP, FTP, etc. which might be able to do SSL/TLS after an initial cleartext negociation, depending on the server.

For example, openssl s_client support:

-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.

I attempted to run against us.battle.net and encountered this in my Chrome console log:

XMLHttpRequest cannot load http://bleed-1161785939.us-east-1.elb.amazonaws.com/bleed/us.battle.net. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://filippo.io' is therefore not allowed access.

I get the same issue under IE11 also.

Testing openssl.org:443 gives a panic. See below.
Possible side effect: the site http://filippo.io/Heartbleed/#openssl.org:443 then (incorrectly?) says "openssl.org:443 IS VULNERABLE."

Running on Ubuntu 14.04, with Heartbleed of today (2014-04-08, 21:27 GMT)

sander@flappie:~/git/Heartbleed$ ./Heartbleed openssl.org:443
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x2e2]

goroutine 5 [running]:
github.com_davecgh_go_spew_spew.dumpSlice.pN41_github.com_davecgh_go_spew_spew.dumpState
/home/sander/git/Heartbleed/src/github.com/davecgh/go-spew/spew/dump.go:226
github.com_davecgh_go_spew_spew.dump.pN41_github.com_davecgh_go_spew_spew.dumpState
/home/sander/git/Heartbleed/src/github.com/davecgh/go-spew/spew/dump.go:323
spew.fdump
/home/sander/git/Heartbleed/src/github.com/davecgh/go-spew/spew/dump.go:430
github.com_davecgh_go_spew_spew.Fdump
/home/sander/git/Heartbleed/src/github.com/davecgh/go-spew/spew/dump.go:438
heartbleed.$nested0
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/bleed/heartbleed.go:47
github.com_FiloSottile_Heartbleed_tls.readRecord.pN42_github.com_FiloSottile_Heartbleed_tls.Conn
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/tls/conn.go:658
github.com_FiloSottile_Heartbleed_tls.Read.pN42_github.com_FiloSottile_Heartbleed_tls.Conn
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/tls/conn.go:909
heartbleed.$nested1
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/bleed/heartbleed.go:77
created by github.com_FiloSottile_Heartbleed_bleed.Heartbleed
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/bleed/heartbleed.go:75

goroutine 1 [select]:
github.com_FiloSottile_Heartbleed_bleed.Heartbleed
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/bleed/heartbleed.go:87
main.main
/home/sander/git/Heartbleed/bleed.go:10

goroutine 6 [sleep]:
heartbleed.$nested2
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/bleed/heartbleed.go:81
created by github.com_FiloSottile_Heartbleed_bleed.Heartbleed
/home/sander/git/Heartbleed/src/github.com/FiloSottile/Heartbleed/bleed/heartbleed.go:80
sander@flappie:~/git/Heartbleed$

This might be a pointer:

$ wget openssl.org:443
--2014-04-08 22:25:22-- http://openssl.org:443/
Resolving openssl.org (openssl.org)... 194.97.152.144
Connecting to openssl.org (openssl.org)|194.97.152.144|:443... connected.
HTTP request sent, awaiting response... 400 Bad Request
2014-04-08 22:25:22 ERROR 400: Bad Request.

@FiloSottile http://t.co/dlebVvl4k1 returns: "Uh-oh, something went wrong: EOF" #heartbleed

I think I'm still missing something. Any idea what it is?
I installed go:
sudo apt-get install golang-go

then installed git:
sudo apt-get install git-core

I try the command:
sudo go get github.com/FiloSottile/Heartbleed
and get the following:

github.com/davecgh/go-spew/spew

/usr/lib/go/src/pkg/github.com/davecgh/go-spew/spew/dump.go:211: vt.ConvertibleTo undefined (type reflect.Type has no field or method ConvertibleTo)
/usr/lib/go/src/pkg/github.com/davecgh/go-spew/spew/dump.go:217: vv.Convert undefined (type reflect.Value has no field or method Convert)

github.com/FiloSottile/Heartbleed/tls

/usr/lib/go/src/pkg/github.com/FiloSottile/Heartbleed/tls/cipher_suites.go:66: undefined: cipher.AEAD
/usr/lib/go/src/pkg/github.com/FiloSottile/Heartbleed/tls/cipher_suites.go:133: undefined: cipher.AEAD
/usr/lib/go/src/pkg/github.com/FiloSottile/Heartbleed/tls/cipher_suites.go:149: undefined: cipher.AEAD
/usr/lib/go/src/pkg/github.com/FiloSottile/Heartbleed/tls/handshake_server.go:556: undefined: crypto.PublicKey
/usr/lib/go/src/pkg/github.com/FiloSottile/Heartbleed/tls/tls.go:93: undefined: net.Dialer

This is with the command line tool.

Sites which I know are fixed correctly give a SAFE response, but sites which I believe are not give a ERROR: heartbleed: timeout response. I can't get a straightforward "NOT SAFE" response (or whatever it gives in that condition).

http://filippo.io/Heartbleed/#citibank.com:443

tls: server selected unsupported protocol version 300

Hi, I'm using Hiawatha w/ PolarSSL. According to PolarSSL no version is affected[1], also Qualys SSL Labs reports the server as "not affected". However your tool reports the host as vulnerable... Just to let you know, maybe there's some bug?

[1] https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-01
[2] https://www.ssllabs.com/ssltest/

Hi there Filippo, first of all thank you so much for writing this handy tool. I've installed it at work and am running it off my windows machine using a powershell script to check internal hosts (as well as our external hosts). I will post the powershell wrapper here shortly although I am not a "coder" it is extremely simple and just a wrapper to run your script.

I had a question about interpreting the output of your Heartbleed script, for example I am getting these results (among the detected VULNERABLE and CLEANs):

1. 2014/04/09 11:17:47 10.48.101.36:443 - ERROR: tls: failed to parse certificate from server: x509: negative serial number

2. 2014/04/09 11:14:42 10.50.1.1:443 - ERROR: tls: server selected unsupported protocol version 300

3. 2014/04/09 11:31:28 10.32.42.105:443 - ERROR: remote error: bad record MAC

Do you have a list of possible outcomes to understand whether that means those IP addresses should be tested further or any other way to interprest this output. Thanks.

Hi, when checking mail.yahoo.com I have noticed that a password and sometimes even a username is returned, which is pretty serious. Under a minute of clicking 2 pairs of credentials were dispayed. Do you genereate these other bits, or dispay them as they are?

Hi there,

Firstly let me say, great tool, thanks for making it easy for providers to check and confirm patches are applied, etc. That said, we're running in to timeouts on "patched" servers when using Litespeed HTTP Server (www.litespeedtech.com).

Really not sure what additional information I could provide here, as the only output is:

2014/04/08 18:09:38 thiswebhost.com:443 - ERROR: heartbleed: timeout

Is this an issue with your script detecting the response from Litespeed, or a Litespeed problem?

To confirm, we've updated OpenSSL and are running the latest Litespeed which has also been "patched" against this issue:

http://www.litespeedtech.com/support/forum/threads/openssl-cve-2014-0160.8490/

All good, banking.postbank.deseems not affected!

Missing a space.

Example:

% heartbleed mediacru.sh
2014/04/08 17:50:35 mediacru.sh - ERROR: dial tcp: missing port in address mediacru.sh

testing dashlane.com = write tcp 213.186.33.5:443: broken pipe

I tried testing a proxy server that terminates TLS/SSL but with all the backend HTTP servers down. With a regular user-agent when connecting with HTTPS you see an HTTP 502/gateway error page. When trying to test the proxy with the heartbleed checker, it handshakes TLS correctly with the proxy but returns this warning:

 Uh-oh, something went wrong: dial tcp x.x.x.x:443: i/o timeout 

I'd love to be able to test my HTTP clients against this. It would be great if I can make a request to a URL here and have it return positive or negative based on whether this site was able to attack my client.

On a website I get:

ERROR: heartbleed: timeout

What does this mean?

As user clicks on Go or press enter, one would expect to see progress reported somewhere under the textbox.
Having it reported at the top of the page makes it almost invisible, and doesn't give enough feedback to user, who will be tempted to click over and over again.

Thanks for creating this and hosting it online so fast. It's been really useful.

750words.com seems to be a false positive. When I run it with this truty Python script: https://gist.github.com/takeshixx/10107280

some commens say the options is -starttls, but the script says

./Heartbleed -starttls imap 192.168.0.10:993

flag provided but not defined: -starttls
Usage of ./Heartbleed:
-service="https": Specify a service name to test (using STARTTLS if necessary).
Besides HTTPS, currently supported services are:
[ftp smtp pop3 imap]

According to heartbleed.com:

Does TLS client certificate authentication mitigate this?

No, heartbeat request can be sent and is replied to during the handshake phase of the protocol. This occurs prior to client certificate authentication.

However running this tool against a host requiring client certificate authentication results in:

rickette@rickette ~/W/Heartbleed> ./Heartbleed somehost:443
2014/04/08 12:06:18 somehost:443 - ERROR: remote error: handshake failure

It works fine if this host doesn't require client authentication

when one enters https://foo.bar.com into the field it hangs.
a validator that strips that info should be implmented

https://symbiotic.me/heartbleed.html

of the top 147 banks in the wolrd[i think world], ingdirect.com is the only one left to exploit.

Yesterday, I found that a Chinese computer company uses your project and they remove your license from the page. And they say "We created this tool by ourselves before anyone build a tool to test CVE-2014-0160"
http://wangzhan.360.cn/heartbleed/

After some testing I found out the test tool tests your Apache vulnerable when you have the SPDY module enabled even when you have disabled heartbeats in OpenSSL or are running a correct version of OpenSSL.

$ repos/heartbleed/bin/Heartbleed (a Cisco ASA)
2014/04/12 23:48:39 (my ASA) - ERROR: tls: failed to parse certificate from server: x509: negative serial number

Any idea what that is about? The browser deals with it. Chrome reports the serial as 2257982035. It is a self-signed cert generated by the device, so I can imagine it's wrong, but I'm surprised at that.

dev@dev:~/Desktop$ go get github.com/titanous/heartbleeder

github.com/titanous/heartbleeder/tls

../dev/Desktop/src/github.com/titanous/heartbleeder/tls/cipher_suites.go:66: undefined: cipher.AEAD
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/cipher_suites.go:133: undefined: cipher.AEAD
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/cipher_suites.go:146: not enough arguments to return
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/cipher_suites.go:149: undefined: cipher.AEAD
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/cipher_suites.go:154: undefined: cipher.NewGCM
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/conn.go:256: undefined: cipher.AEAD
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/conn.go:267: c.Overhead undefined (type interface {} has no field or method Overhead)
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/conn.go:271: c.Open undefined (type interface {} has no field or method Open)
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/conn.go:373: undefined: cipher.AEAD
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/handshake_server.go:556: undefined: crypto.PublicKey
../dev/Desktop/src/github.com/titanous/heartbleeder/tls/conn.go:373: too many errors

If I use an URL instead of a host name (which is IMO the typical use case because you copy server names/URLs directly from the browser) the test is hanging forever. You should URL parse the user input for a host name.

Any possibility we can get a text box which can parse line by line so it would be possible to check a batch? Not sure if that would be too much load. Thanks

Should help identify sites which have updated OpenSSL but not created a new certificate.

If I use this to test ssh,it will return
Uh-oh, something went wrong: tls: first record does not look like a TLS handshake

If you try it gives the error "Uh-oh, something went wrong: heartbleed: timeout".
The server appears to be running TornadoServer/3.1

% heartbleed
panic: runtime error: index out of range

goroutine 1 [running]:
runtime.panic(0x5c56c0, 0x816c57)
        /usr/lib/go/src/pkg/runtime/panic.c:266 +0xb6
main.main()
        .../heartbleed/src/src/github.com/FiloSottile/Heartbleed/bleed.go:10 +0x5b5

This needs a nicer error message :-)

seems like all the hosts I test on either Heroku and/or AWS ELB timeout always?

I know they have both been patched, but... wondering why they timeout?

Thanks for a very useful tool :D

However, we've had some issues using it whereby the website would produce false positives (ie, consider that a server was vulnerable when it wasn't) on servers the first time it was run, but not subsequently. This included servers running OpenSSL 0.9.8. Annoyingly, it's stopped happening now, but I couldn't see a commit where this issue was directly addressed, so I'm not sure if it's fixed itself (urgh) or if it's something fixed by the developer.

We've not seen this when running it on the command line.

Anyone else seen this? Anyone still seeing this?

EDIT: nevermind, i went full retard.

I bet it's some firewall or something, but I though I would report that scratch.mit.edu is returning a dial tcp 18.85.28.176:443: connection refused error.

Hi Fillipo,

Your program gives following output for this website.

$$ > bin/Heartbleed myprint-online.com:443
2014/04/11 23:36:42 myprint-online.com:443 - ERROR: write tcp 70.91.223.11:443: broken pipe

Whereas when i send the heartbit thru openssl it says the server cannot accept heartbit connection.

$ openssl s_client -connect myprint-online.com:443

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 29090000B3F468F2377A97B3837AA15E1EB19F581C67103CDA7C764190B9ECA1
Session-ID-ctx:
Master-Key: 1329CF7427D367D3D8A9DA107B0EB5696A7C635E4C2B7CE84E857BB74C72CFDB5FDC38591392F0B2E8A22455D282BD70
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1397259160
Timeout : 300 (sec)

Verify return code: 0 (ok)

B
HEARTBEATING
139922322958152:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:t1_lib.c:2574:

Hi,

I was finally able to instal Go on ubuntu but not having issues installing the package

root@ubuntu:/go/src/github.com/FiloSottile/Heartbleed# go get github.com/FiloSottile/Heartbleed
go: missing Git command. See http://golang.org/s/gogetcmd
package github.com/FiloSottile/Heartbleed: exec: "git": executable file not found in $PATH
root@ubuntu:/go/src/github.com/FiloSottile/Heartbleed# go install github.com/FiloSottile/Heartbleed
can't load package: package github.com/FiloSottile/Heartbleed: cannot find package "github.com/FiloSottile/Heartbleed" in any of:
/usr/lib/go/src/pkg/github.com/FiloSottile/Heartbleed (from $GOROOT)
/root/go/src/github.com/FiloSottile/Heartbleed/src/github.com/FiloSottile/Heartbleed (from $GOPATH)

Can anyone help. I am very new to linux world and perhaps I am missing something. After googling some more I found out that i need to use the export command and I tried with heartbleed and is failing, below is just an example

e:g export GOPATH=~/golang/packages1/

Issues testing VPNs, getting these results from two different OpenVPN servers I run:

$ Heartbleed examplevpn.com:1194 - ERROR: dial tcp x.x.x.x:1194:connection refused
$ Heartbleed examplevpn2.com:1194 - ERROR: dial tcp x.x.x.x:1194: i/o timeout

Am I doing something wrong or do these use SSL differently to how https works?

It doesn't seem to be possible to test servers that use TLS 1.2 only.

Please send all scan results of the command line tool to stdout. This makes processing mass scan results, i.e. with xargs, much simpler. The following example should only output VULNERABLE lines:

$ sudo zmap -p 443 -n 1000 -o- -q | xargs -n 1 docker run kasimon/heartbleed | grep VULNERABLE
Apr 09 15:42:24.601 [INFO] zmap: output module: csv
Apr 09 15:42:32.836 [INFO] zmap: completed
2014/04/09 13:42:33 - ERROR: tls: oversized record received with length 20291
2014/04/09 13:42:33 - ERROR: EOF
2014/04/09 13:42:37 ([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 d9 a0 da a3 ed 4f 60 e8 |UBMARINE.....O`.|
00000030 88 0a 89 3c f9 08 3a 8b 18 5e 11 5c 31 f6 ba fb |...<..:..^.\1...|
00000040 ed f9 bb 41 46 a5 3c 72 19 79 b1 61 12 59 5b c3 |...AF.<r.y.a.Y[.|
00000050 7b 8d c0 40 d5 d2 6e 06 a7 64 6a 0d e7 8a 26 b2 |{[email protected]...&.|
00000060 d6 3a 6f 4b 22 a1 b9 dc 5d ae 85 a8 04 31 22 06 |.:oK"...]....1".|
00000070 1f 71 28 44 dc ef 7a 92 9b 3d cb 7b 57 f9 16 de |.q(D..z..=.{W...|
00000080 29 78 7c 9f d0 d1 da 91 37 cf ef cb |)x|.....7...|
}

2014/04/09 13:42:37 - VULNERABLE

Thanks!

#33 just misses xmpp support

For the completely GO-illiterate who just want to check their servers, could you give a hint how to compile or run the test script? I only get errors when trying to "go build", "go run" etc..

$ go run bleed.go
bleed.go:4:2: import "github.com/FiloSottile/Heartbleed/bleed": cannot find package

$ go build
bleed.go:4:2: import "github.com/FiloSottile/Heartbleed/bleed": cannot find package

$ go install
bleed.go:4:2: import "github.com/FiloSottile/Heartbleed/bleed": cannot find package

thanks!

Some of the worst rated ones in SSL labs test ( https://www.ssllabs.com/ssltest/ ) , they seem to report some sites as affected whereas given an 'All good' by this. I repeated the checks several times after clearing cache in their test.
SSL labs says 'experimental' for heartbleed test so not sure how stable the test is.

If a site doesn't support TLS 1.2, then the Heartbleed script throws an EOF error. This seems to be because the go crypto TLS package is built to implement TLS 1.2.
http://golang.org/pkg/crypto/tls/