On Tue, 5 Dec 2017 19:14:41 +0000 (UTC)
Jitendra Lulla via openssl-dev <openssl-dev@openssl.org> wrote:

> Could the solution be a restricted count of HB requests along with a
> timer? 

No, the solution is to disable TLS heartbeats.
I actually wanted to bring this up when I recently noticed that OpenSSL
still enables the heartbeat extension by default in every clienthello
it sends.

In the whole Heartbleed aftermath nobody was ever able to tell me where
TLS Heartbeats are used. It's a feature in order to have a feature.

Hanno Böck

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to