Ø  I get the heartbeating message on both unpatched and patched servers.  
Should that make me worry about the patched machines?
Not necessarily.  If they updated to the 'g' release, then they are doing 
buffer-overrun checking and you're safe.  You can probably find out by 
connecting to your server (via s_client again) and seeing what it says in the 
server line, as in
                echo HEAD / HTTP/1.0 | openssl s_client -connect $HOST:$PORT
The server usually says things like "apache/2.0 openssl/1.0.1g ..." and other 
modules that are bundled in.

To be safest, heartbeats should just be disabled.  Nobody really uses them.

Principal Security Engineer
Akamai Technology
Cambridge, MA

Reply via email to