From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6E767138A1F for ; Thu, 10 Apr 2014 23:42:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A0565E0B57; Thu, 10 Apr 2014 23:42:38 +0000 (UTC) Received: from mail.ramses-pyramidenbau.de (ramses-pyramidenbau.de [46.38.238.63]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8AA94E09BA for ; Thu, 10 Apr 2014 23:42:37 +0000 (UTC) Received: from [172.16.2.20] (95-91-235-204-dynip.superkabel.de [95.91.235.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ramses-pyramidenbau.de (Postfix) with ESMTPSA id D320582BEF for ; Fri, 11 Apr 2014 01:42:34 +0200 (CEST) Message-ID: <53472C6A.2050209@ramses-pyramidenbau.de> Date: Fri, 11 Apr 2014 01:42:34 +0200 From: Ralf User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: 'Heartbleed' bug References: <20140410000635.GB9729@syscon7.ed.shawcable.net> In-Reply-To: Content-Type: multipart/alternative; boundary="------------020205070901080305080206" X-Archives-Salt: 18597e86-00e7-4da7-9329-b95efee2a04d X-Archives-Hash: e0b5894bbce49a76406d73394b36197e This is a multi-part message in MIME format. --------------020205070901080305080206 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi, On 04/11/2014 12:55 AM, walt wrote: > Steve Gibson explained that the heartbeat feature was introduced in openssl to > allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. > > IIRC Steve didn't explain how UDP bugs can compromise TCP connections. > > Anyone here really understand the underlying principles? If so, please explain! yes, a TCP connection is stateful, so imho heartbeat is not necessary. But you don't always speak "UDP" or "TCP". Imagine some sort of direct connection without any type of transportation layer. As a generic cryptographic library, OpenSSL is designed to be adaptable and universal. That broke OpenSSL's neck. We only can hope, that the heartbeat exploit was not widely used before they published that zero-day. But we can be sure, that this is not going to be the last vulnerability of this kind. Regards Ralf --------------020205070901080305080206 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Hi,

On 04/11/2014 12:55 AM, walt wrote:

Steve Gibson explained that the heartbeat feature was introduced in openssl to
allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol.

IIRC Steve didn't explain how UDP bugs can compromise TCP connections.

Anyone here really understand the underlying principles?  If so, please explain!

yes, a TCP connection is stateful, so imho heartbeat is not necessary.

But you don't always speak "UDP" or "TCP".
Imagine some sort of direct connection without any type of transportation layer.

As a generic cryptographic library, OpenSSL is designed to be adaptable and universal. That broke OpenSSL's neck.

We only can hope, that the heartbeat exploit was not widely used before they published that zero-day.
But we can be sure, that this is not going to be the last vulnerability of this kind.

Regards
Ralf
--------------020205070901080305080206--