frequency and size of heartbeat requests

Hi,

With  an "intentionally corrupted" tls1_heartbeat() in Openssl 1.0.2l, heart beat requests with big payloads such as 16300 or slightly more can be repeatedly sent to the server.

The server, religiously responds back with such big payloads after spending its cpu on encrypting/HMAC computing on the payload in the heartbeat response messages..

I confirmed the above with s_server/s_client.

The RFC doesn't say anything about this possible exploit/DOS attack.
The RFC also allows such big payloads.

While such payloads might be meeting some requirement (PMTU computation ?),, the frequency of such big messages (continuous repeats) must certainly be controlled.

I see that this extn is disabled in openssl-master but I could see that some servers (eg yahoo) do respond to heartbeat requests which means that they are running some ssl implementation (probably Openssl) which is vulnerable to continuous repeated big HB requests.


Is the problem mentioned above a problem indeed or I am missing something ?

Could the solution be a restricted count of HB requests along with a timer?

Thanks
Jitendra



--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

The purpose of the HEARTBEAT message is for DTLS applications to determine the maximum packet size and tune the application records accordingly. There is never any reason to use this in TCP-based TLS; that was an OpenSSL bug that enabled it there.

The usefulness of HEARTBEAT even in DTLS is probably pretty small and it is probably safer to just turn it off. Spending time and code to “protect it” is probably not worth the effort.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

On Tue, 5 Dec 2017 19:14:41 +0000 (UTC)
Jitendra Lulla via openssl-dev <[hidden email]> wrote:

> Could the solution be a restricted count of HB requests along with a
> timer?

No, the solution is to disable TLS heartbeats.
I actually wanted to bring this up when I recently noticed that OpenSSL
still enables the heartbeat extension by default in every clienthello
it sends.

In the whole Heartbleed aftermath nobody was ever able to tell me where
TLS Heartbeats are used. It's a feature in order to have a feature.


--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

thanks Hanno and Rich.

--------------------------------------------
On Tue, 12/5/17, Hanno Böck <[hidden email]> wrote:

 Subject: Re: [openssl-dev] frequency and size of heartbeat requests
 To: [hidden email]
 Cc: "Jitendra Lulla" <[hidden email]>
 Date: Tuesday, December 5, 2017, 9:59 PM
 
 On Tue, 5 Dec 2017 19:14:41 +0000
 (UTC)
 Jitendra Lulla via openssl-dev <[hidden email]>
 wrote:
 
 > Could the
 solution be a restricted count of HB requests along with
 a
 > timer?
 
 No, the solution is to disable TLS
 heartbeats.
 I actually wanted to bring this
 up when I recently noticed that OpenSSL
 still enables the heartbeat extension by
 default in every clienthello
 it sends.
 
 In the whole Heartbleed
 aftermath nobody was ever able to tell me where
 TLS Heartbeats are used. It's a feature in
 order to have a feature.
 
 
 --
 Hanno
 Böck
 https://hboeck.de/
 
 mail/jabber: [hidden email]
 GPG:
 FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

On Tue, 5 Dec 2017 19:21:50 +0000
"Salz, Rich via openssl-dev" <[hidden email]> wrote:

> There is never any reason to use this in TCP-based TLS;
> that was an OpenSSL bug that enabled it there.

I opened an issue for this bug, so it can be fixed:
https://github.com/openssl/openssl/issues/4856

--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

In the particular application where I used both TLS and DTLS, application-layer heartbeats were used, and it gave the app visibility into the connection status.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev