Possibly too Postelian, OpenSSL answers a received heartbeat request (and thus before the fix answers a malicious request with leaked data)
even if the heartbeat extension was negotiated off. Only the build option to exclude the code stops it. OpenSSL will *send* hb request only if/after negotiating on. The first >OpenSSL< version with heartbeat is 1.0.1 (base). The extension RFC is written against current 5246 TLSv1.2, but like most extensions the logic can apply to any version that supports extensions which is since TLSv1(.0) and thats what OpenSSL implements. The only exception I see is sigalgs which only makes sense for D/TLS1.2. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of cvishnuid Sent: Sunday, April 13, 2014 12:24 To: openssl-users@openssl.org Subject: *** Spam *** Re: Heart bleed with 0.9.8 and 1.0.1 Will client respond for heart beat request even if server doesn't support heart beat . ? Which version of ssl this heart beat in introduced ? I am assuming as the client know that the session establish with sever doesn't support heart beat it will not respond am I correct ? On Sunday, April 13, 2014, Jin Jiang [via OpenSSL] <[hidden email]> wrote: Hi, I think your client is vulnerable, if the attacker can touch your client. Regards, Jin On Fri, Apr 11, 2014 at 5:32 PM, cvishnuid <[hidden email] <http://user/SendEmail.jtp?type=node&node=49373&i=0> > wrote: Hi I am having 0.9.8 open ssl libraries in my server and 1.0.1 in my client. Am I venerable to heart bleed attach? Regards, Vishnu. _____ View this message in context: Heart bleed with 0.9.8 and 1.0.1 <http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300. html> Sent from the OpenSSL - User mailing list archive <http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html> at Nabble.com. _____ If you reply to this email, your message will be added to the discussion below: <http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300p 49373.html> http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300p4 9373.html To unsubscribe from Heart bleed with 0.9.8 and 1.0.1, click here. <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_view er&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNa mespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.No deNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_ema ils%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML _____ View this message in context: Re: Heart bleed with 0.9.8 and 1.0.1 <http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300p 49374.html> Sent from the OpenSSL - User mailing list archive <http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html> at Nabble.com.
