OpenSSL leaks server-Keys / The Heartbleed Bug

Maxim Dounin mdounin at
Tue Apr 15 11:43:19 UTC 2014


On Mon, Apr 14, 2014 at 03:03:54PM -0400, itpp2012 wrote:

> Fyi. if you are running a ssl tunnel like stunnel with openssl 0.9.x, this
> attack is logged as "SSL3_GET_RECORD:wrong version number" as opposed to no
> nginx/openssl logging.
> If you have logging going back 2 years and you are seeing these log entries
> now, you may be able to detect attacks from before 7-4-2014.
> Here we have many stunnels with openssl 0.9.x and found the first attacks
> at: 2014.04.08 22:19:14 (CET) in more then 2 years of logging.

I suspect that this is just a particular script to exploit the 
vulnerability, which doesn't care much about being correct and 
is seen this way due to incorrect handshake.  Proper exploitation 
shouldn't be detectable this way.

And yes, it's seen on more or less any 0.9.x OpenSSL 
installation, including nginx:

2014/04/15 04:02:57 [info] 48738#0: *2785200 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number) while SSL handshaking, client:, server:

Maxim Dounin

More information about the nginx mailing list