On 15 Apr 2014, at 14:26, Fedor Indutny <fe...@indutny.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello Hanno! > > Despite not a being an active community member, I'd like to share my thoughts > on it, if you don't mind. > > I certainly agree that this extension has a quite faulty specification and > very questionable > use. But perhaps, instead of just removing it from OpenSSL, we should try to > make IETF > deprecate it in a spec as well? I don't think there is a problem with the spec. The spec tells you how to deal with packets having a faulty length field. The problem was with the implementation.
I think OpenSSL has already a switch to disable the extension at compile time. This is available for a lot of extensions/features. Having also a runtime switch for features (with the default being off) is a possibility. Might be something for other extensions as well. So someone needing a feature needs to write code to enable it. Best regards Michael > > Cheers, > Fedor. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJTTSVtAAoJEPsOEJWxeXmZfDoP/25Eqt9Ec3SCnqOrUaSg9D01 > JtNWZ8s8xq0BDdcjSCzeYh3yHPhWK2JbIhxm3t0Dq1vUK+TZtxvBHl6Vr141JioD > fM6WBGqr1eA8Htk5RkEC5xcIgDiEMs3xpGmeg0JYWaisPcdF9ChvPL51FII+FPXj > V26RJKHQhu+3XBKi3z4pmlJOvQNHaQ4B8EFw66mAfgyAVBXbi/EyHOpuJ0vZ/Z0p > WgPBnPSuhe8eu9Gmac440jvx/YHd+feYfjELw/vQiU5mZOCtgIKChu0hgSHQkke+ > jTFGTTzBca/3wULAC3VtTFMwHif3bCHuN8GauuvW0NLemB3DslnbEYFCnYXp+vJl > Dv6YJOyc2XUOw576La3ZdAgyAvSnFhnGjWodkVZRYZJsXheblJcWhXOoH5TDK5Zq > mqIfTtFuPE5J2JplYs+Rgpjpss8F5hJgc1GbsfPqb4qU+VEN3DB0w2BdYBcSWt4B > PiANM0OcuaTwWS15KECR+yoItUJwbZyHmqCIsFzHlWNzymD5wr8xdcUtq0HFo8oV > B1G6vZXhoHxsB04xusK9kJZPwxbZXFL8hWwyvJprsPVEBD7v7taFHN01cItFXxGR > pSWVa0PdJc7JzvAOpJhXKKAqiQtr/cNcAUSl+BGXBkhzFMs5sPYVCXaD0a+01piw > jEjk3196JpBMEJOUBDbF > =Z4D3 > -----END PGP SIGNATURE----- > > > On Tue, Apr 15, 2014 at 4:17 PM, Hanno Böck <ha...@hboeck.de> wrote: > Hi, > > I think this question needs to be asked. > > We have a TLS extension here that - as far as I can see - nobody uses. > I have asked in different contexts recently if anyone is aware of real > software that makes use of the heartbeat extension. I got often > answerts like "it could be used for X", but not a single one of them > saying "there is software Y that does X with it". Also, a search on > ohloh turned up nothing. > > I think there is no justification to have an extension that gets > enabled by default around if it is not used. So I propose that openssl > either disables it in the default build or removes it completely. > I'd suggest the first one if there are reasonable chances that anyone > might use it in the future. > > And: I'd like to see a discussion on what further unused features there > are in OpenSSL that could be disabled just to reduce attack surface. > E.g. I could think of removing DSA key support, because nobody uses that > anyway and DSA is a bad algorithm. > > cu, > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: BBB51E42 > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org