Yes, your client is vulnerable. Which ip to connect to is governed by your
application, and IP addresses can be falsified, so it is very much possible
your client connects to a malicious server.
-ag
--
sent via 100% recycled electrons from my mobile command center.
> On Apr 11, 2014, at 8:32 A
e only exception I see is sigalgs which only makes sense for D/TLS1.2.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of cvishnuid
Sent: Sunday, April 13, 2014 12:24
To: openssl-users@openssl.org
Subject: *** Spam *** Re: Heart bleed with 0.9.8 and
Now i understood the concept .. Till now i am assuming that attacker will
send only the heart beat request with out performing any SSL handshake
messages.
I was wrong . Attacker will establish a new connection and send all the
handshake messages and then the faked heart beat request .
-
In my scenario if the client don't respond for heart beat request then my
client is safer ?
--
View this message in context:
http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300p49402.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
_
hi,
>Will client respond for heart beat request even if server doesn't support
>heart beat . ?
no. both systems need to have some heartbeat code present.
>Which version of ssl this heart beat in introduced ?
same as all the original advisories have said 1.0.1 - fixed in 1.0.1g but
patches to
Will client respond for heart beat request even if server doesn't support
heart beat . ?
Which version of ssl this heart beat in introduced ?
I am assuming as the client know that the session establish with sever
doesn't support heart beat it will not respond am I correct ?
On Sunday, April 13
Hi,
I think your client is vulnerable, if the attacker can touch your client.
Regards,
Jin
On Fri, Apr 11, 2014 at 5:32 PM, cvishnuid wrote:
> Hi I am having 0.9.8 open ssl libraries in my server and 1.0.1 in my
> client. Am I venerable to heart bleed attach? Regards, Vishnu.
> ---