What are SSL heartbeats?

Asked 10/4, 2014 at 15:16 Answered 10/4, 2014 at 21:9

Solved apache ssl openssl heartbleed-bug

With all the chatter going on about the heartbleed bug, it's hard to find information on what exactly the exploited heartbeat extension for OpenSSL is used for.

Also, is it possible to disable it for Apache w/ mod_ssl without recompling with the -DOPENSSL_NO_HEARTBEATS flag as suggested @ http://heartbleed.com/?

Sinusoidal answered 10/4, 2014 at 15:16 Comment(3)

xkcd.com/1354 – Stutz 11/4, 2014 at 13:47

@Stutz Hah that seems to pretty much sum it up, thanks! Makes me wonder though why they don't just enforce a constant size and instead decided to allow the user to specify a size. – Sinusoidal 11/4, 2014 at 15:51

Why the user is allowed to specify a size: security.stackexchange.com/questions/55606/… – Sinusoidal 17/4, 2014 at 20:35

Heartbeat is an echo functionality where either side (client or server) requests that a number of bytes of data that it sends to the other side be echoed back. The idea appears to be that this can be used as a keep-alive feature, with the echo functionality presumably meant to allow verifying that both ends continue to correctly handle encryption and decryption. The problem, of course, is that until the recent patch, OpenSSL did not guard against sending back more data than was provided in the first place. I'm not really aware of where the heartbeat extension is actually used in an application since most communication that requires it (e.g. websockets) rely on their own keep-alive features implemented on a higher level.

I can't answer your second question---but it would surprise me if the answer was yes.

Evocator answered 10/4, 2014 at 15:29 Comment(4)

pyramids is there any way to contact you privately? – Midas 1/8, 2016 at 19:16

@Midas No, I guess there is no way to contact me privately on here (I don't want to post my contact details publicly and the site doesn't want to implement private messaging, see this answer). I'd be happy to ask you what it is about, though, if there is a way to contact you...? – Evocator 2/8, 2016 at 8:11

yeah try me on twitter with the same handle, it's about an old post of yours that I wanted to ask if you're still interested in – Midas 2/8, 2016 at 17:31

@pyramids I'm trying to contact you as well, likely about the same post. Could you reach out to me via e-mail at jd (dot) dallago (at) gmail (dot) com? Or on Twitter @_jayd3e. I could give you more info there. – Induction 17/8, 2017 at 23:33

Try this for info on heart beats: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

I'm not really an apache guy, I gather that the flag works but that there may be a performance hit. The advice is to recompile. Also talk to your devs about sending emails, you may want to consider asking your users to change their passwords - just to be on the safe side. I've had a couple of services email like that already

Indiaindiaman answered 10/4, 2014 at 15:27 Comment(0)

You can find all the details on the TLS and the DTLS Heartbeat extension by reading RFC6520: https://www.rfc-editor.org/rfc/rfc6520.

Stlaurent answered 10/4, 2014 at 21:9 Comment(0)

Recommended topics

Hot tags