Just a quick note to let you know that Emeric and I have found how to detect heartbeats and the heartbleed attack at the application layer and how to block it regardless of the OpenSSL version. So we have added two new error messages for the logs depending on what type of handshake failure happens :
"SSL handshake failure after heartbeat" "Stopped a TLSv1 heartbeat attack (CVE-2014-0160)" The first one indicates that a heartbeat was present in the request. While there is nothing dangerous there, it may indicate someone trying to elaborate an attack or just a bot checking for support or not. The second one is emitted if the attack is detected (and blocked). Just for a test, I have re-enabled the vulnerable 1.0.1c on demo.1wt.eu and can confirm that no single byte of memory is leaked, because we kill the connection before OpenSSL responds. This is in the latest git. I intend to issue dev24 this evening once I get the confirmation that the SSL DH changes are responsible for the performance regression that Sander experienced. In the mean time, any tests are welcome, as usual. Cheers, Willy
