What's new

'Heartbleed' vulnerability and OpenSSL in Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I don't have Entware, Optware, or anything else other than the Merlin FW. Here's what a positive result looks like.

Very strange .... What service is listening on your router's WAN port 443?
 
Very strange .... What service is listening on your router's WAN port 443?

I don't know. I haven't customized any of my ports. Isn't that the standard HTTPS port?

I rebooted the router and got a happier result. Odd.
 

Attachments

  • heartbleed2.jpg
    heartbleed2.jpg
    24.5 KB · Views: 486
I don't know. I haven't customized any of my ports. Isn't that the standard HTTPS port?

I rebooted the router and got a happier result. Odd.

Yes, this is the standard HTTPS port, but your router's GUI default WAN port should be 8443. Did you checked the box "Enable Web access from WAN" under "Administration>System" menu? Or may be you have some device on your LAN that is listening on 443 and the port is forwarded under "WAN>Virtual Server/Port Forwarding" menu? Or your firewall is disabled?
 
See their FAQ. That test is unreliable. There are numerous reports of false positive, which would explain why in your case it reported different results before and after a reboot.

When I test it here, it simply gives me a connection timeout despite the fact port 443 is indeed open during the test.
 
Yes, this is the standard HTTPS port, but your router's GUI default WAN port should be 8443. Did you checked the box "Enable Web access from WAN" under "Administration>System" menu? Or may be you have some device on your LAN that is listening on 443 and the port is forwarded under "WAN>Virtual Server/Port Forwarding" menu? Or your firewall is disabled?

443 is used by AiCloud.
 
443 is used by AiCloud.

Oh yes :) as I am not using AiCloud I forgot about this possibility :) But in any case this should not happen as the router's OpenSSL library version is less than 1.0.1. :confused:
 
Oh yes :) as I am not using AiCloud I forgot about this possibility :) But in any case this should not happen as the router's OpenSSL library version is less than 1.0.1. :confused:

Exactly. Which is another reason why I believe that their test isn't working as expected, which would be in line with what is in their FAQ (numerous reports of false positive appearing).
 
Merlin, BTW today the OpenVPN team has released OpenVPN 2.3.3. Do you plan to incorporate it within the next version of your FW?
 
Yes, this is the standard HTTPS port, but your router's GUI default WAN port should be 8443. Did you checked the box "Enable Web access from WAN" under "Administration>System" menu? Or may be you have some device on your LAN that is listening on 443 and the port is forwarded under "WAN>Virtual Server/Port Forwarding" menu? Or your firewall is disabled?

443 is used by AiCloud.

None of the above on my N66U. It's almost as if some process started listening on 443 since the prior reboot. For future reference, what command would I run to see what's listening on a particular port?
 
None of the above on my N66U. It's almost as if some process started listening on 443 since the prior reboot. For future reference, what command would I run to see what's listening on a particular port?

The netstat applet provided by Busybox does not display that info. You would need to install the complete version of it through Optware or Entware to be able to tell it to report which process is listening to the listed ports.

It could also have been a port forward. Those would be visible under System Log.
 
Merlin, BTW today the OpenVPN team has released OpenVPN 2.3.3. Do you plan to incorporate it within the next version of your FW?

Doubtful. I will wait to ensure that this new release does not introduce new issues before updating.
 
When I initially set up the OpenVPN client I had to use 2.2.2 because I was never able to get 2.3 to work. I just ran an "openssl version" command and it returned 1.0.0e so I believe this client is safe. Can anyone confirm? Thanks.
 
When I initially set up the OpenVPN client I had to use 2.2.2 because I was never able to get 2.3 to work. I just ran an "openssl version" command and it returned 1.0.0e so I believe this client is safe. Can anyone confirm? Thanks.

Which client? The router's client or the PC Windows client? On which command prompt you had ran the "openssl version" command?
 
There is an extension for Chrome called "Chromebleed" that I've been using. Not sure how accurate it is, but it seems to warn you if you're going to a site that is vulnerable...might be useful for testing one's VPN server from the outside?

Just a thought...
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top