Thank you. In the meantime, I found RFC 6520 which explains it. Most appreciated.
+-+-+-+-+-+-+-+-+- Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, Mobile: 978-500-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Tuexen Sent: Tuesday, April 08, 2014 2:43 PM To: openssl-users@openssl.org Subject: Re: CVE 2014-0160 -- disabling the heartbeat On 08 Apr 2014, at 19:19, mclellan, dave <dave.mclel...@emc.com> wrote: > Hi all. There are two mitigations possible for the recently discovered > Heartbleed attack. > > Ø Upgrade to 1.0.1g, released yesterday with a fix Ø Recompile a > vulnerable release with -DOPENSSL_NO_HEARTBEATS > > Suppose we choose the latter. We might be installed into a server host in a > shop with an earlier release of our software on the clients. Is it an issue > if the server refuses to do heartbeats but the client expects to use them? > or is there a negotiation element that determines their shared capability WRT > heartbeats? Support is negotiated as part of the TLS handshake. So the client has always to deal with the case that the server doesn't support it or does not allow the client to send Heartbeats. Best regards Michael > > Thanks. > > +-+-+-+-+-+-+-+-+- > Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St. > Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 > Office: 508-249-1257, Mobile: 978-500-2546, dave.mclel...@emc.com > +-+-+-+-+-+-+-+-+- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
