Re: Heart bleed with 0.9.8 and 1.0.1

2014-04-15 Thread ag@gmail
Yes, your client is vulnerable. Which ip to connect to is governed by your application, and IP addresses can be falsified, so it is very much possible your client connects to a malicious server. -ag -- sent via 100% recycled electrons from my mobile command center. > On Apr 11, 2014, at 8:32 A

Re: Heart bleed with 0.9.8 and 1.0.1

2014-04-15 Thread Dave Thompson
e only exception I see is sigalgs which only makes sense for D/TLS1.2. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of cvishnuid Sent: Sunday, April 13, 2014 12:24 To: openssl-users@openssl.org Subject: *** Spam *** Re: Heart bleed with 0.9.8 and

RE: Heart bleed with 0.9.8 and 1.0.1

2014-04-14 Thread cvishnuid
Now i understood the concept .. Till now i am assuming that attacker will send only the heart beat request with out performing any SSL handshake messages. I was wrong . Attacker will establish a new connection and send all the handshake messages and then the faked heart beat request . -

RE: Heart bleed with 0.9.8 and 1.0.1

2014-04-14 Thread cvishnuid
In my scenario if the client don't respond for heart beat request then my client is safer ? -- View this message in context: http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300p49402.html Sent from the OpenSSL - User mailing list archive at Nabble.com. _

RE: Heart bleed with 0.9.8 and 1.0.1

2014-04-14 Thread Alan Buxey
hi, >Will client respond for heart beat request even if server doesn't support >heart beat . ? no. both systems need to have some heartbeat code present. >Which version of ssl this heart beat in introduced ? same as all the original advisories have said 1.0.1 - fixed in 1.0.1g but patches to

Re: Heart bleed with 0.9.8 and 1.0.1

2014-04-14 Thread cvishnuid
Will client respond for heart beat request even if server doesn't support heart beat . ? Which version of ssl this heart beat in introduced ? I am assuming as the client know that the session establish with sever doesn't support heart beat it will not respond am I correct ? On Sunday, April 13

Re: Heart bleed with 0.9.8 and 1.0.1

2014-04-13 Thread Jin Jiang
Hi, I think your client is vulnerable, if the attacker can touch your client. Regards, Jin On Fri, Apr 11, 2014 at 5:32 PM, cvishnuid wrote: > Hi I am having 0.9.8 open ssl libraries in my server and 1.0.1 in my > client. Am I venerable to heart bleed attach? Regards, Vishnu. > ---