# Gavin Andresen
# 2014-04-10 21:37:21
# https://bitcointalk.org/index.php?topic=563048.msg6163077#msg6163077

@s{(link)} is a little SSL server to test SSL clients for heartbleed vulnerability. @p{par}

I installed Bitcoin Core version 0.9.0 on my Mac (compiled against the vulnerable openssl 1.0.1f), created a web page to launch a payment request fetch from pacemaker... @p{par}

... and I get good news: @p{brk}

Code:
Connection from: 127.0.0.1:62937 @p{brk}
Possibly not vulnerable @p{brk}

 @p{brk}
Step-by-step so you can help test on other OS'es : @p{par}


@p{(li}git clone @s{(link)}@p{li)}

@p{(li}cd pacemaker@p{li)}

@p{(li}python pacemaker.py@p{li)}

@p{(li}Run Bitcoin Core GUI version 0.9.0@p{li)}

@p{(li}In your browser, visit @p{(link}@s{(link)}~gavin/heartbleed.html@p{link)}  @p{li)}
 @p{brk}
pacemaker.py should report a connection, and then either say "Client returned blah bytes" or "Possibly not vulnerable" @p{par}

It looks to me like pacemaker.py IS working; visiting @s{(link)} in Chrome pacemaker tells me: @p{brk}

Code:
Connection from: 127.0.0.1:62514 @p{brk}
Client returned 7 (0x7) bytes @p{brk}
0000: 15 03 03 00 02 02 2f                             ....../ @p{brk}

 @p{brk}
This isn't a definitive "no need to worry even if you HAVE clicked on payment-protocol-enabled bitcoin: links at an untrustworthy website" ... but given the evidence I've seen, it seems to me extremely unlikely anybody's private keys have been compromised. @p{brk}