>  Tue Apr 08 2014 07:44:00 PM CDTfrom "Mike Miller" <mbmiller+l at gmail.com>
>Subject: Re: [tclug-list] Heartbleed
>
>  On Tue, 8 Apr 2014, Chris Frederick wrote:I found this info:
>https://forum.pfsense.org/index.php?topic=74902.msg408806#ms408806
>
>  

  I have a Python script (found elsewhere) that you can use to test your
pfsense install.  I have used it against pfsense firewalls and obtained both
the login user name and password in the payload in a pfsense 2.1 firewall
(not tested against a pfsense 2.1.1 fw, but they are working on a patch).

  It was out there for hours, I am sure I am not the only one to wander by
and grab a copy

   http://s3.jspenguin.org/ssltest.py

  It is blocked presently, but I did get a copy and it does deliver.  Do
patch now as the 64 Kb memory exploit does work (and on a limited memory
system like a pfsense appliance firewall, it seems to work quite well).

  pfsense firewalls are great, and I use them, but you need to disable the
https access to the login (NOW), and any non patched Openssl based service
you have running.  Think of ssl wrapper-ed services like pop3, imap,
http(s), or vpn's that link to openssl.

  Good luck citizens! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20140408/5160d7f7/attachment-0001.html>