CVE 2014-0160 -- disabling the heartbeat

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE 2014-0160 -- disabling the heartbeat

mclellan, dave

Hi all.   There are two mitigations possible for the  recently discovered Heartbleed attack.

 

Ø  Upgrade to 1.0.1g, released yesterday with a fix

Ø  Recompile a vulnerable release with –DOPENSSL_NO_HEARTBEATS

 

Suppose we choose the latter.   We might be installed into a server host in a shop with an earlier release of our software on the clients.   Is it an issue if the server refuses to do heartbeats but the client expects to use them?    or is there a negotiation element that determines their shared capability WRT heartbeats? 

 

Thanks.

 

+-+-+-+-+-+-+-+-+-

Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.

Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749

Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]

+-+-+-+-+-+-+-+-+-

 

Reply | Threaded
Open this post in threaded view
|

Re: CVE 2014-0160 -- disabling the heartbeat

Alan Buxey
...or take the upstream fix...apply to your older version and keep the heartbeat functionality. Which is what I believe the very latest redhat/centos patches do

Alan
Reply | Threaded
Open this post in threaded view
|

RE: CVE 2014-0160 -- disabling the heartbeat

mclellan, dave

True that’s possible, except that it only applies if customers actually install a corrected older version that we make available.   We can pour the clean water but can’t make the customer drink it; he might still be drinking the dirty water.

 

Thanks for that suggestion.

Dave

 

+-+-+-+-+-+-+-+-+-

Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.

Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749

Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]

+-+-+-+-+-+-+-+-+-

 

From: Alan Buxey [mailto:[hidden email]]
Sent: Tuesday, April 08, 2014 2:00 PM
To: [hidden email]; mclellan, dave
Subject: Re: CVE 2014-0160 -- disabling the heartbeat

 

...or take the upstream fix...apply to your older version and keep the heartbeat functionality. Which is what I believe the very latest redhat/centos patches do

Alan

Reply | Threaded
Open this post in threaded view
|

Re: CVE 2014-0160 -- disabling the heartbeat

Michael Tuexen-4
In reply to this post by mclellan, dave
On 08 Apr 2014, at 19:19, mclellan, dave <[hidden email]> wrote:

> Hi all.   There are two mitigations possible for the  recently discovered Heartbleed attack.
>  
> Ø  Upgrade to 1.0.1g, released yesterday with a fix
> Ø  Recompile a vulnerable release with –DOPENSSL_NO_HEARTBEATS
>  
> Suppose we choose the latter.   We might be installed into a server host in a shop with an earlier release of our software on the clients.   Is it an issue if the server refuses to do heartbeats but the client expects to use them?    or is there a negotiation element that determines their shared capability WRT heartbeats?
Support is negotiated as part of the TLS handshake. So the client has always
to deal with the case that the server doesn't support it or does not
allow the client to send Heartbeats.

Best regards
Michael
>  
> Thanks.
>  
> +-+-+-+-+-+-+-+-+-
> Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
> Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
> Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]
> +-+-+-+-+-+-+-+-+-

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVE 2014-0160 -- disabling the heartbeat

Claus Assmann
Would it be a good idea to allow disabling these extensions at
runtime (via some option)? That would minimize the impact of security
holes like this, right? Instead of having to recompile "everything"
you would "just" have to set an option (yes, I know, not every
application might have support for settting such options -- in that
case something global like openssl.cnf would help).
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVE 2014-0160 -- disabling the heartbeat

Alan Buxey
But its the apps that need these features. The app should either have the option to disable features of not needed. .. or be coded to not accept such extensions if it doesn't utilise them (which I believe is the correct way)

alan
Reply | Threaded
Open this post in threaded view
|

RE: CVE 2014-0160 -- disabling the heartbeat

mclellan, dave
In reply to this post by Michael Tuexen-4
Thank you.   In the meantime, I found RFC 6520 which explains it.

Most appreciated.

+-+-+-+-+-+-+-+-+-
Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]
+-+-+-+-+-+-+-+-+-


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael Tuexen
Sent: Tuesday, April 08, 2014 2:43 PM
To: [hidden email]
Subject: Re: CVE 2014-0160 -- disabling the heartbeat

On 08 Apr 2014, at 19:19, mclellan, dave <[hidden email]> wrote:

> Hi all.   There are two mitigations possible for the  recently discovered Heartbleed attack.
>  
> Ø  Upgrade to 1.0.1g, released yesterday with a fix Ø  Recompile a
> vulnerable release with -DOPENSSL_NO_HEARTBEATS
>  
> Suppose we choose the latter.   We might be installed into a server host in a shop with an earlier release of our software on the clients.   Is it an issue if the server refuses to do heartbeats but the client expects to use them?    or is there a negotiation element that determines their shared capability WRT heartbeats?
Support is negotiated as part of the TLS handshake. So the client has always to deal with the case that the server doesn't support it or does not allow the client to send Heartbeats.

Best regards
Michael
>  
> Thanks.
>  
> +-+-+-+-+-+-+-+-+-
> Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
> Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
> Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]
> +-+-+-+-+-+-+-+-+-

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]