Was my AWS ELB SSL connection vulnerable to HeartBleed

Question

I have an Elastic Load Balancer on AWS that does NOT terminate the SSL connection on the Load Balancer. Was my connection vulnerable to the HeartBleed bug before Amazon patched the ELB service?

My understanding is that only connections that terminated the SSL on the Load Balancer were affected. Can anyone confirm this?

This question appears to be off-topic because it is about software versions, administration and patching. Server Fault has quite a few questions on the topic: http://serverfault.com/questions/tagged/heartbleed. — jww, Apr 09 '14 at 19:05
I would agree. I can't find an easy way to move it though. It should probably have been on serverfault or security.stackexchange.com — Shaun Bowe, Apr 09 '14 at 19:18
Shaun - don't worry about it. Its part of the normal process on Stack Overflow. — jww, Apr 09 '14 at 19:22

score 1 · Accepted Answer · answered Apr 09 '14 at 16:37

1

Did you instead terminate SSL on your own instances? If so then you need to look at the version of OpenSSL on those systems as they might be vulnerable to heartbleed.

answered Apr 09 '14 at 16:37

Ben Whaley

32,811
7
87
85

We terminated the connection on IIS so OpenSSL was not involved past the Load Balancer. – Shaun Bowe Apr 09 '14 at 17:06
Ok, yes in that case you are not vulnerable. – Ben Whaley Apr 09 '14 at 17:55

Was my AWS ELB SSL connection vulnerable to HeartBleed

1 Answers1