Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are SSL heartbeats?

Tags:

ssl

openssl

apache

heartbleed-bug

With all the chatter going on about the heartbleed bug, it's hard to find information on what exactly the exploited heartbeat extension for OpenSSL is used for.

Also, is it possible to disable it for Apache w/ mod_ssl without recompling with the -DOPENSSL_NO_HEARTBEATS flag as suggested @ http://heartbleed.com/?

like image 879
user193130 Avatar asked Apr 10 '14 15:04

user193130

People also ask

What is TLS heartbeat extension?

The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS.

What is OpenSSL Heartbleed attack?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

How does OpenSSL Heartbleed work?

OpenSSL processes in the machine that are responding to Heartbeat requests don't verify if the payload size is same as what is specified in length field. Thus, the machine copies extra data residing in memory after the payload into the response. This is how the Heartbleed vulnerability works.

What is a heartbeat in networking?

A heartbeat is a type of a communication packet that is sent between nodes. Heartbeats are used to monitor the health of the nodes, networks and network interfaces, and to prevent cluster partitioning.

1 Answers

Heartbeat is an echo functionality where either side (client or server) requests that a number of bytes of data that it sends to the other side be echoed back. The idea appears to be that this can be used as a keep-alive feature, with the echo functionality presumably meant to allow verifying that both ends continue to correctly handle encryption and decryption. The problem, of course, is that until the recent patch, OpenSSL did not guard against sending back more data than was provided in the first place. I'm not really aware of where the heartbeat extension is actually used in an application since most communication that requires it (e.g. websockets) rely on their own keep-alive features implemented on a higher level.

I can't answer your second question---but it would surprise me if the answer was yes.

like image 180
pyramids Avatar answered Sep 18 '22 21:09

pyramids

Sign in to Comment

Related questions

phpMyAdmin EXTREMELY slow when loading innoDB database main page
How do I get the private key for a GoDaddy certificate so I can install it on Ubuntu 14+?
If I echo a statement and no one hears it, does it ever get echoed? (PHP cron job question)
How do Apache httpd and Tomcat work together?
Strange `UnicodeEncodeError` using `os.path.exists`
Custom domain feature for saas product customers
Flask hello world using apache and mod_wsgi shows files in webroot only
Apache doesn't start after Vagrant reload
How does one use Apache in a Docker Container and write nothing to disk (all logs to STDIO / STDERR)?
Docker - Run Apache on host and container for different websites
session_start() issues regarding illegal characters, empty session ID and failed session
Alpine variants of PHP and Apache/httpd in Docker
Apache Multiple VirtualDocumentRoot
Apache Server Noob: no listening sockets available
PHP - a different open_basedir per each virtual host
Use of undefined constant CURLOPT_POST - assumed 'CURLOPT_POST'
How to test if file exists with the tag <If ...> on Apache 2.4?
Apache Velocity $ vs $!{}
Is there a way to have Apache log slow requests?
Link to download apache http server for 64bit windows.

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!