HAProxy, what else ???? Baptiste
On Fri, Apr 25, 2014 at 8:15 PM, Willy Tarreau <[email protected]> wrote: > Just a quick note to let you know that Emeric and I have found how > to detect heartbeats and the heartbleed attack at the application > layer and how to block it regardless of the OpenSSL version. So we > have added two new error messages for the logs depending on what > type of handshake failure happens : > > "SSL handshake failure after heartbeat" > "Stopped a TLSv1 heartbeat attack (CVE-2014-0160)" > > The first one indicates that a heartbeat was present in the request. > While there is nothing dangerous there, it may indicate someone > trying to elaborate an attack or just a bot checking for support or > not. The second one is emitted if the attack is detected (and blocked). > > Just for a test, I have re-enabled the vulnerable 1.0.1c on demo.1wt.eu > and can confirm that no single byte of memory is leaked, because we kill > the connection before OpenSSL responds. > > This is in the latest git. I intend to issue dev24 this evening once I > get the confirmation that the SSL DH changes are responsible for the > performance regression that Sander experienced. > > In the mean time, any tests are welcome, as usual. > > Cheers, > Willy > >
