hi, >Will client respond for heart beat request even if server doesn't support >heart beat . ?
no. both systems need to have some heartbeat code present. >Which version of ssl this heart beat in introduced ? same as all the original advisories have said 1.0.1 - fixed in 1.0.1g but patches to previous versions have been released. ie basics unpatched 1.0.1 openSSL server (pre 1.0.1g) - vulnerable to dodgy client attack unpatched 1.0.1 openSSL client (pre 1.0.1g) - vulnerable to a dodgy server attacking it remember...this attack isnt about honouring proper communication. its about circumventing usual conversation - so even if the Application doesnt use heartbeat, the APIs its using for session establishment do - and thats where the attack vector lives. alan
