On Thu, Apr 10, 2014 at 03:55:47PM -0700, walt wrote: > On 04/09/2014 05:06 PM, Joseph wrote: > > Is gentoo effected by this new 'Heartbleed' bug? > > > > "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL > > cryptographic software library...." > > > > http://heartbleed.com/ > > This topic was discussed in my favorite podcast, http://twit.tv/sn > > Steve Gibson explained that the heartbeat feature was introduced in openssl to > allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. > > IIRC Steve didn't explain how UDP bugs can compromise TCP connections. > > Anyone here really understand the underlying principles? If so, please > explain! > > Thanks.
Yes, but no, actually. It's main use is in DTLS, over UDP and similar protocols, however it is also supported in TLS (over TCP). From the RFC [0]: DTLS is designed to secure traffic running on top of unreliable transport protocols. Usually, such protocols have no session management. The only mechanism available at the DTLS layer to figure out if a peer is still alive is a costly renegotiation, particularly when the application uses unidirectional traffic[...] TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer. The Heartbeat Extension as described in this document overcomes these limitations. So the heartbeat in [D]TLS, as implemented in OpenSSL, is standard-compliant. It's more useful in datagram communication (i.e. UDP, connectionless) but it is available for connection-oriented protocols (i.e. TCP), as well. It was the TLS heartbeat-implementation that suffered from this vulnerability. You can see the patch-fix here[1], if you're interested. [0] https://tools.ietf.org/html/rfc6520 [1] https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
