[openssl-dev] frequency and size of heartbeat requests
Hanno Böck
hanno at hboeck.de
Tue Dec 5 21:59:56 UTC 2017
On Tue, 5 Dec 2017 19:14:41 +0000 (UTC)
Jitendra Lulla via openssl-dev <openssl-dev at openssl.org> wrote:
> Could the solution be a restricted count of HB requests along with a
> timer?
No, the solution is to disable TLS heartbeats.
I actually wanted to bring this up when I recently noticed that OpenSSL
still enables the heartbeat extension by default in every clienthello
it sends.
In the whole Heartbleed aftermath nobody was ever able to tell me where
TLS Heartbeats are used. It's a feature in order to have a feature.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
More information about the openssl-dev
mailing list