Linux Binary & Heartbeat Security Issue

[aspe...@gmail.com]

Hello Mongoose!

I am a Mongoose Linux user user.

First off I noticed your new downloads page doesn't have any linux builds. Is there plains to add this?

I got Mongoose off of this page:

https://code.google.com/p/mongoose/downloads/detail?name=mongoose-lua-sqlite-ssl-static-x86_64-5.1&can=2&q=

It says it includes ssl, and in the source it seems you statically link the binary with openssl (https://github.com/cesanta/mongoose/blob/master/mongoose.c#L133)

What version of openssl is included? Has it been patched for heartbleed? http://heartbleed.com/

Best wishes!

[Sergey Lyubka]

CC: in...@wolfssl.com

Hi,

Recent versions of Mongoose binary (since 5.3, as per http://cesanta.com/docs/ReleaseNotes.shtml) do not have built-in SSL support. Earlier versions do. However OpenSSL was never used by released Mongoose binaries, it has always been WolfSSL (http://wolfssl.com). 

WolfSSL is great and provides industry-grade SSL implementation. WolfSSL has OpenSSL compatibility layer meaning that source code that targets OpenSSL can be built with WolfSSL.

WolfSSL is not vulnerable to HeartBleed, as per http://www.yassl.com/forums/topic538-wolfssl-and-cyassl-users-safe-from-heartbleed-bug.html

So Mongoose users that are using earlier binary releases are safe.

Sergey.

--
You received this message because you are subscribed to the Google Groups "mongoose-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongoose-user...@googlegroups.com.
To post to this group, send email to mongoos...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongoose-users.
For more options, visit https://groups.google.com/d/optout.