On 08 Apr 2014, at 19:19, mclellan, dave <dave.mclel...@emc.com> wrote:
> Hi all. There are two mitigations possible for the recently discovered > Heartbleed attack. > > Ø Upgrade to 1.0.1g, released yesterday with a fix > Ø Recompile a vulnerable release with –DOPENSSL_NO_HEARTBEATS > > Suppose we choose the latter. We might be installed into a server host in a > shop with an earlier release of our software on the clients. Is it an issue > if the server refuses to do heartbeats but the client expects to use them? > or is there a negotiation element that determines their shared capability WRT > heartbeats? Support is negotiated as part of the TLS handshake. So the client has always to deal with the case that the server doesn't support it or does not allow the client to send Heartbeats. Best regards Michael > > Thanks. > > +-+-+-+-+-+-+-+-+- > Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St. > Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 > Office: 508-249-1257, Mobile: 978-500-2546, dave.mclel...@emc.com > +-+-+-+-+-+-+-+-+- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
