Hi,
With an "intentionally corrupted" tls1_heartbeat() in Openssl 1.0.2l, heart beat requests with big payloads such as 16300 or slightly more can be repeatedly sent to the server. The server, religiously responds back with such big payloads after spending its cpu on encrypting/HMAC computing on the payload in the heartbeat response messages.. I confirmed the above with s_server/s_client. The RFC doesn't say anything about this possible exploit/DOS attack. The RFC also allows such big payloads. While such payloads might be meeting some requirement (PMTU computation ?),, the frequency of such big messages (continuous repeats) must certainly be controlled. I see that this extn is disabled in openssl-master but I could see that some servers (eg yahoo) do respond to heartbeat requests which means that they are running some ssl implementation (probably Openssl) which is vulnerable to continuous repeated big HB requests. Is the problem mentioned above a problem indeed or I am missing something ? Could the solution be a restricted count of HB requests along with a timer? Thanks Jitendra -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev |
The purpose of the HEARTBEAT message is for DTLS applications to determine the maximum packet size and tune the application records accordingly. There is never any reason to use this in TCP-based TLS; that was an OpenSSL bug that enabled it there.
The usefulness of HEARTBEAT even in DTLS is probably pretty small and it is probably safer to just turn it off. Spending time and code to “protect it” is probably not worth the effort. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev |
In reply to this post by OpenSSL - Dev mailing list
On Tue, 5 Dec 2017 19:14:41 +0000 (UTC)
Jitendra Lulla via openssl-dev <[hidden email]> wrote: > Could the solution be a restricted count of HB requests along with a > timer? No, the solution is to disable TLS heartbeats. I actually wanted to bring this up when I recently noticed that OpenSSL still enables the heartbeat extension by default in every clienthello it sends. In the whole Heartbleed aftermath nobody was ever able to tell me where TLS Heartbeats are used. It's a feature in order to have a feature. -- Hanno Böck https://hboeck.de/ mail/jabber: [hidden email] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev |
In reply to this post by OpenSSL - Dev mailing list
thanks Hanno and Rich.
-------------------------------------------- On Tue, 12/5/17, Hanno Böck <[hidden email]> wrote: Subject: Re: [openssl-dev] frequency and size of heartbeat requests To: [hidden email] Cc: "Jitendra Lulla" <[hidden email]> Date: Tuesday, December 5, 2017, 9:59 PM On Tue, 5 Dec 2017 19:14:41 +0000 (UTC) Jitendra Lulla via openssl-dev <[hidden email]> wrote: > Could the solution be a restricted count of HB requests along with a > timer? No, the solution is to disable TLS heartbeats. I actually wanted to bring this up when I recently noticed that OpenSSL still enables the heartbeat extension by default in every clienthello it sends. In the whole Heartbleed aftermath nobody was ever able to tell me where TLS Heartbeats are used. It's a feature in order to have a feature. -- Hanno Böck https://hboeck.de/ mail/jabber: [hidden email] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev |
In reply to this post by OpenSSL - Dev mailing list
On Tue, 5 Dec 2017 19:21:50 +0000
"Salz, Rich via openssl-dev" <[hidden email]> wrote: > There is never any reason to use this in TCP-based TLS; > that was an OpenSSL bug that enabled it there. I opened an issue for this bug, so it can be fixed: https://github.com/openssl/openssl/issues/4856 -- Hanno Böck https://hboeck.de/ mail/jabber: [hidden email] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev |
In reply to this post by OpenSSL - Dev mailing list
In the particular application where I used both TLS and DTLS, application-layer heartbeats were used, and it gave the app visibility into the connection status.
I agree, TLS/DTLS Heartbeats aren’t very useful.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev |
Free forum by Nabble | Edit this page |