subject:"Re\: \[openssl\-dev\] frequency and size of heartbeat requests"

Re: [openssl-dev] frequency and size of heartbeat requests

2017-12-06 Thread Hanno Böck

On Tue, 5 Dec 2017 19:21:50 +
"Salz, Rich via openssl-dev"  wrote:

> There is never any reason to use this in TCP-based TLS;
> that was an OpenSSL bug that enabled it there.

I opened an issue for this bug, so it can be fixed:
https://github.com/openssl/openssl/issues/4856

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] frequency and size of heartbeat requests

2017-12-06 Thread Jitendra Lulla via openssl-dev

thanks Hanno and Rich.

On Tue, 12/5/17, Hanno Böck <ha...@hboeck.de> wrote:

 Subject: Re: [openssl-dev] frequency and size of heartbeat requests
 To: openssl-dev@openssl.org
 Cc: "Jitendra Lulla" <lull...@yahoo.com>
 Date: Tuesday, December 5, 2017, 9:59 PM

 On Tue, 5 Dec 2017 19:14:41 +
 (UTC)
 Jitendra Lulla via openssl-dev <openssl-dev@openssl.org>
 wrote:

 > Could the
 solution be a restricted count of HB requests along with
 a
 > timer? 

 No, the solution is to disable TLS
 heartbeats.
 I actually wanted to bring this
 up when I recently noticed that OpenSSL
 still enables the heartbeat extension by
 default in every clienthello
 it sends.

 In the whole Heartbleed
 aftermath nobody was ever able to tell me where
 TLS Heartbeats are used. It's a feature in
 order to have a feature.

 -- 
 Hanno
 Böck
 https://hboeck.de/

 mail/jabber: ha...@hboeck.de
 GPG:
 FE73757FA60E4E21B937579FA5880072BBB51E42
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] frequency and size of heartbeat requests

2017-12-05 Thread Hanno Böck

On Tue, 5 Dec 2017 19:14:41 + (UTC)
Jitendra Lulla via openssl-dev  wrote:

> Could the solution be a restricted count of HB requests along with a
> timer? 

No, the solution is to disable TLS heartbeats.
I actually wanted to bring this up when I recently noticed that OpenSSL
still enables the heartbeat extension by default in every clienthello
it sends.

In the whole Heartbleed aftermath nobody was ever able to tell me where
TLS Heartbeats are used. It's a feature in order to have a feature.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] frequency and size of heartbeat requests

2017-12-05 Thread Salz, Rich via openssl-dev

The purpose of the HEARTBEAT message is for DTLS applications to determine the 
maximum packet size and tune the application records accordingly. There is 
never any reason to use this in TCP-based TLS; that was an OpenSSL bug that 
enabled it there.

The usefulness of HEARTBEAT even in DTLS is probably pretty small and it is 
probably safer to just turn it off. Spending time and code to “protect it” is 
probably not worth the effort.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] frequency and size of heartbeat requests

Re: [openssl-dev] frequency and size of heartbeat requests

Re: [openssl-dev] frequency and size of heartbeat requests

Re: [openssl-dev] frequency and size of heartbeat requests

4 matches

Site Navigation

Mail list logo

Footer information