Hi all. There are two mitigations possible for the recently discovered Heartbleed attack.
Ø Upgrade to 1.0.1g, released yesterday with a fix Ø Recompile a vulnerable release with -DOPENSSL_NO_HEARTBEATS Suppose we choose the latter. We might be installed into a server host in a shop with an earlier release of our software on the clients. Is it an issue if the server refuses to do heartbeats but the client expects to use them? or is there a negotiation element that determines their shared capability WRT heartbeats? Thanks. +-+-+-+-+-+-+-+-+- Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, Mobile: 978-500-2546, dave.mclel...@emc.com<mailto:dave.mclel...@emc.com> +-+-+-+-+-+-+-+-+-