What if I have an application that is linked with an openssl-1.0.1f
library compiled without
using the -DOPENSSL_NO_HEARTBEATS symbol, but the application use
SSLv3_server_method() when setting
up the SSL context. Is the application still vulnerable although it
don't use TLS?
/Leif
On 2014-04-09 11.06, Jin Jiang wrote:
As I understood, it's related with TLS/DTLS extension in RFC 6520, if
you don't use this extension, you can simply disable it during the
compile time. (./config -DOPENSSL_NO_HEARTBEATS). Otherwise, please
upgrade to version 1.0.1g or newer.
from http://heartbleed.com/
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Regards,
Jin
On Tue, Apr 8, 2014 at 7:57 PM, Leif Thuresson
<[email protected] <mailto:[email protected]>> wrote:
Just want to check that I got it right about which applications
are vulnerable.
It is called "TLS heartbeat" but it looks like this part of the
packet parsing code is common to
both SSLv3 and TLS so although an application is using the
SSLv3_server_method/SSLv3_client_method
it it is still vulnerable to the "TLS heartbeat attack" right?
/Leif
