> Tue Apr 08 2014 07:44:00 PM CDTfrom "Mike Miller" <mbmiller+l at gmail.com> >Subject: Re: [tclug-list] Heartbleed > > On Tue, 8 Apr 2014, Chris Frederick wrote:I found this info: >https://forum.pfsense.org/index.php?topic=74902.msg408806#ms408806 > > I have a Python script (found elsewhere) that you can use to test your pfsense install. I have used it against pfsense firewalls and obtained both the login user name and password in the payload in a pfsense 2.1 firewall (not tested against a pfsense 2.1.1 fw, but they are working on a patch). It was out there for hours, I am sure I am not the only one to wander by and grab a copy http://s3.jspenguin.org/ssltest.py It is blocked presently, but I did get a copy and it does deliver. Do patch now as the 64 Kb memory exploit does work (and on a limited memory system like a pfsense appliance firewall, it seems to work quite well). pfsense firewalls are great, and I use them, but you need to disable the https access to the login (NOW), and any non patched Openssl based service you have running. Think of ssl wrapper-ed services like pop3, imap, http(s), or vpn's that link to openssl. Good luck citizens! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20140408/5160d7f7/attachment-0001.html>