Re: DTLS Heartbeat Removed in OpenSSL 1.1.1
Hi, I am just following up with my earlier mail as I did not get an answer. I now understand that the heartbeat mechanism is completely removed in OpenSSL 1.1.1, whereas it's still available in gnuTLS. So I do not understand why it was removed from OpenSSL Having your own keepalive mechanism(at application level) the only way forward ? I am still looking for some answers.Can someone throw some light on it ? Regards, Vijay On Tue, Jun 9, 2020 at 2:25 PM Vijayakumar Kaliaperumal wrote: > Hello, > > From the release notes of OpenSSL 1.1.1, I could see that DTLS heartbeat > has been removed > . > Heartbeat support has been removed; the ABI is changed for now. > > With RFC 6520 in standards track, any specific reason(Vulnerability/other > security issue reported) for the removal ?, How can we re-enable it ? > Recompile OpenSSL without OPENSSL_NO_HEARTBEATS macro ? Please advise. > > Regards, > Vijay >
DTLS Heartbeat Removed in OpenSSL 1.1.1
Hello, >From the release notes of OpenSSL 1.1.1, I could see that DTLS heartbeat has been removed . Heartbeat support has been removed; the ABI is changed for now. With RFC 6520 in standards track, any specific reason(Vulnerability/other security issue reported) for the removal ?, How can we re-enable it ? Recompile OpenSSL without OPENSSL_NO_HEARTBEATS macro ? Please advise. Regards, Vijay
[openssl-users] Extracting Handshake Information
Hello, Is there a way in openssl we can extract the protocol(TLS/DTLS ) handshake information, like in clienthello, the protocol version, ciphersuites offered, Random, session id etc. Regards, Vijay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] DTLS Handshake fails with DTLSv1_listen
Hi, While writing a DTLS server using DTLSv1_listen(), I found that when I receive a fragmented clienthello from the client, DTLS handshake fails. DTLSv1_listen stuck in the while loop (in the app). When I checked the man page of DTLSv1_listen(), it clearly says that API does not handle a fragmented clienthello. as it operates entirely statelessly ( Safeguard against DOS attacks ? ) However DTLS RFC clearly states that implementation must handle fragmented handshake messages RFC 4347 Datagram Transport Layer Security: “When a DTLS implementation receives a handshake message fragment, it MUST buffer it until it has the entire handshake message.” Avoiding the fragmented clienthello is the only way out for this problem ? or any other alternatives exist ? Regards, Vijay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users