# Gavin Andresen # 2014-04-10 21:37:21 # https://bitcointalk.org/index.php?topic=563048.msg6163077#msg6163077 @s{(link)} is a little SSL server to test SSL clients for heartbleed vulnerability. @p{par} I installed Bitcoin Core version 0.9.0 on my Mac (compiled against the vulnerable openssl 1.0.1f), created a web page to launch a payment request fetch from pacemaker... @p{par} ... and I get good news: @p{brk} Code: Connection from: 127.0.0.1:62937 @p{brk} Possibly not vulnerable @p{brk} @p{brk} Step-by-step so you can help test on other OS'es : @p{par} @p{(li}git clone @s{(link)}@p{li)} @p{(li}cd pacemaker@p{li)} @p{(li}python pacemaker.py@p{li)} @p{(li}Run Bitcoin Core GUI version 0.9.0@p{li)} @p{(li}In your browser, visit @p{(link}@s{(link)}~gavin/heartbleed.html@p{link)} @p{li)} @p{brk} pacemaker.py should report a connection, and then either say "Client returned blah bytes" or "Possibly not vulnerable" @p{par} It looks to me like pacemaker.py IS working; visiting @s{(link)} in Chrome pacemaker tells me: @p{brk} Code: Connection from: 127.0.0.1:62514 @p{brk} Client returned 7 (0x7) bytes @p{brk} 0000: 15 03 03 00 02 02 2f ....../ @p{brk} @p{brk} This isn't a definitive "no need to worry even if you HAVE clicked on payment-protocol-enabled bitcoin: links at an untrustworthy website" ... but given the evidence I've seen, it seems to me extremely unlikely anybody's private keys have been compromised. @p{brk}