The Un-Official Proxomitron Forum
Heartlbleed? - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Config Sets (/forumdisplay.php?fid=43)
+--- Forum: Sidki (/forumdisplay.php?fid=44)
+--- Thread: Heartlbleed? (/showthread.php?tid=2164)



Heartlbleed? - talker - Jun. 04, 2014 05:18 PM

Hello,

I see that proxomitron use OpenSSL, isn't it vulnerable to heartbleed?


RE: Heartlbleed? - JJoe - Jun. 04, 2014 09:53 PM

Welcome,

(Jun. 04, 2014 05:18 PM)talker Wrote:  Hello,

I see that proxomitron use OpenSSL, isn't it vulnerable to heartbleed?

No. The Proxomitron uses an old version of OpenSSL.

From your posted link

wikipedia Wrote:The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).

You should always be aware and cautious, however.

HTH


RE: Heartlbleed? - talker - Jun. 05, 2014 04:01 PM

Right, I forgot that the old versions of Openssl are unaffected.

But, maybe I'll try proxhttproxy instead ?


RE: Heartlbleed? - JJoe - Jun. 06, 2014 02:33 AM

(Jun. 05, 2014 04:01 PM)talker Wrote:  But, maybe I'll try proxhttproxy instead ?

ProxHTTPSProxy intended purpose is to hide the Proxomitron's HTTPS filtering. ProxHTTPSProxy is used with another proxy not instead of.

ProxHTTPSProxy0.4b does not validate the SSL connection.

ProxHTTPSProxy0.6a can validate the connection using current OpenSSL routines that are supposed to be "heartbleed" free.

HTH


RE: Heartlbleed? - talker - Jun. 06, 2014 08:17 PM

I didn't mean "use proxhttpsproxy instead of proxomitron", I meant "install proxhttpsproxy instead of installing the ssl files of sidki."

Regards.


RE: Heartlbleed? - JJoe - Jun. 07, 2014 04:33 AM

(Jun. 06, 2014 08:17 PM)talker Wrote:  I meant "install proxhttpsproxy instead of installing the ssl files of sidki."

ATM, I think it depends on you and your needs.

The Proxomitron's ssl routine's alerts due to its inability to understand current ssl options and the browser's alerts about the Proxomitron will probably cause you to disable the alerts from both. The routine's encryption is dated.

However, ProxHTTPSProxy does not yet provide for or allow all of the Proxomitron's features. It complicates things and may make them harder to understand but its ssl routine is current.

You could use both.