'Heartbleed' vulnerability and OpenSSL in Asuswrt-Merlin

[netware5]

I don't have Entware, Optware, or anything else other than the Merlin FW. Here's what a positive result looks like.

Very strange .... What service is listening on your router's WAN port 443?

 

[RocketJSquirrel]

Very strange .... What service is listening on your router's WAN port 443?

I don't know. I haven't customized any of my ports. Isn't that the standard HTTPS port?

I rebooted the router and got a happier result. Odd.

 

[netware5]

I don't know. I haven't customized any of my ports. Isn't that the standard HTTPS port?

I rebooted the router and got a happier result. Odd.

Yes, this is the standard HTTPS port, but your router's GUI default WAN port should be 8443. Did you checked the box "Enable Web access from WAN" under "Administration>System" menu? Or may be you have some device on your LAN that is listening on 443 and the port is forwarded under "WAN>Virtual Server/Port Forwarding" menu? Or your firewall is disabled?

 

[RMerlin]

See their FAQ. That test is unreliable. There are numerous reports of false positive, which would explain why in your case it reported different results before and after a reboot.

When I test it here, it simply gives me a connection timeout despite the fact port 443 is indeed open during the test.

 

[RMerlin]

Yes, this is the standard HTTPS port, but your router's GUI default WAN port should be 8443. Did you checked the box "Enable Web access from WAN" under "Administration>System" menu? Or may be you have some device on your LAN that is listening on 443 and the port is forwarded under "WAN>Virtual Server/Port Forwarding" menu? Or your firewall is disabled?

443 is used by AiCloud.

 

[netware5]

443 is used by AiCloud.

Oh yes as I am not using AiCloud I forgot about this possibility But in any case this should not happen as the router's OpenSSL library version is less than 1.0.1.

 

[RMerlin]

Oh yes as I am not using AiCloud I forgot about this possibility But in any case this should not happen as the router's OpenSSL library version is less than 1.0.1.

Exactly. Which is another reason why I believe that their test isn't working as expected, which would be in line with what is in their FAQ (numerous reports of false positive appearing).

 

[netware5]

Merlin, BTW today the OpenVPN team has released OpenVPN 2.3.3. Do you plan to incorporate it within the next version of your FW?

 

[RocketJSquirrel]

Yes, this is the standard HTTPS port, but your router's GUI default WAN port should be 8443. Did you checked the box "Enable Web access from WAN" under "Administration>System" menu? Or may be you have some device on your LAN that is listening on 443 and the port is forwarded under "WAN>Virtual Server/Port Forwarding" menu? Or your firewall is disabled?

443 is used by AiCloud.

None of the above on my N66U. It's almost as if some process started listening on 443 since the prior reboot. For future reference, what command would I run to see what's listening on a particular port?

 

[RMerlin]

None of the above on my N66U. It's almost as if some process started listening on 443 since the prior reboot. For future reference, what command would I run to see what's listening on a particular port?

The netstat applet provided by Busybox does not display that info. You would need to install the complete version of it through Optware or Entware to be able to tell it to report which process is listening to the listed ports.

It could also have been a port forward. Those would be visible under System Log.

 

[RMerlin]

Merlin, BTW today the OpenVPN team has released OpenVPN 2.3.3. Do you plan to incorporate it within the next version of your FW?

Doubtful. I will wait to ensure that this new release does not introduce new issues before updating.

 

[ojai00]

When I initially set up the OpenVPN client I had to use 2.2.2 because I was never able to get 2.3 to work. I just ran an "openssl version" command and it returned 1.0.0e so I believe this client is safe. Can anyone confirm? Thanks.

 

[netware5]

When I initially set up the OpenVPN client I had to use 2.2.2 because I was never able to get 2.3 to work. I just ran an "openssl version" command and it returned 1.0.0e so I believe this client is safe. Can anyone confirm? Thanks.

Which client? The router's client or the PC Windows client? On which command prompt you had ran the "openssl version" command?

 

[RogerSC]

There is an extension for Chrome called "Chromebleed" that I've been using. Not sure how accurate it is, but it seems to warn you if you're going to a site that is vulnerable...might be useful for testing one's VPN server from the outside?

Just a thought...