As I understood, it's related with TLS/DTLS extension in RFC 6520, if you don't use this extension, you can simply disable it during the compile time. (./config -DOPENSSL_NO_HEARTBEATS). Otherwise, please upgrade to version 1.0.1g or newer.
from http://heartbleed.com/ - OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable - OpenSSL 1.0.1g is NOT vulnerable - OpenSSL 1.0.0 branch is NOT vulnerable - OpenSSL 0.9.8 branch is NOT vulnerable Regards, Jin On Tue, Apr 8, 2014 at 7:57 PM, Leif Thuresson <[email protected]>wrote: > Just want to check that I got it right about which applications are > vulnerable. > It is called "TLS heartbeat" but it looks like this part of the packet > parsing code is common to > both SSLv3 and TLS so although an application is using the > SSLv3_server_method/SSLv3_client_method > it it is still vulnerable to the "TLS heartbeat attack" right? > > /Leif >
