Hi all.   There are two mitigations possible for the  recently discovered 
Heartbleed attack.


Ø  Upgrade to 1.0.1g, released yesterday with a fix

Ø  Recompile a vulnerable release with -DOPENSSL_NO_HEARTBEATS

Suppose we choose the latter.   We might be installed into a server host in a 
shop with an earlier release of our software on the clients.   Is it an issue 
if the server refuses to do heartbeats but the client expects to use them?    
or is there a negotiation element that determines their shared capability WRT 
heartbeats?

Thanks.

+-+-+-+-+-+-+-+-+-
Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:    508-249-1257, Mobile:   978-500-2546, 
dave.mclel...@emc.com<mailto:dave.mclel...@emc.com>
+-+-+-+-+-+-+-+-+-

Reply via email to