1 |
On Thu, Apr 10, 2014 at 03:55:47PM -0700, walt wrote: |
2 |
> On 04/09/2014 05:06 PM, Joseph wrote: |
3 |
> > Is gentoo effected by this new 'Heartbleed' bug? |
4 |
> > |
5 |
> > "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library...." |
6 |
> > |
7 |
> > http://heartbleed.com/ |
8 |
> |
9 |
> This topic was discussed in my favorite podcast, http://twit.tv/sn |
10 |
> |
11 |
> Steve Gibson explained that the heartbeat feature was introduced in openssl to |
12 |
> allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. |
13 |
> |
14 |
> IIRC Steve didn't explain how UDP bugs can compromise TCP connections. |
15 |
> |
16 |
> Anyone here really understand the underlying principles? If so, please explain! |
17 |
> |
18 |
> Thanks. |
19 |
|
20 |
Yes, but no, actually. It's main use is in DTLS, over UDP and similar |
21 |
protocols, however it is also supported in TLS (over TCP). From the RFC |
22 |
[0]: |
23 |
|
24 |
DTLS is designed to secure traffic running on top of unreliable |
25 |
transport protocols. Usually, such protocols have no session |
26 |
management. The only mechanism available at the DTLS layer to figure |
27 |
out if a peer is still alive is a costly renegotiation, particularly |
28 |
when the application uses unidirectional traffic[...] |
29 |
|
30 |
TLS is based on reliable protocols, but there is not necessarily a |
31 |
feature available to keep the connection alive without continuous |
32 |
data transfer. |
33 |
|
34 |
The Heartbeat Extension as described in this document overcomes these |
35 |
limitations. |
36 |
|
37 |
So the heartbeat in [D]TLS, as implemented in OpenSSL, is |
38 |
standard-compliant. It's more useful in datagram communication (i.e. UDP, |
39 |
connectionless) but it is available for connection-oriented protocols |
40 |
(i.e. TCP), as well. It was the TLS heartbeat-implementation that |
41 |
suffered from this vulnerability. You can see the patch-fix here[1], if |
42 |
you're interested. |
43 |
|
44 |
[0] https://tools.ietf.org/html/rfc6520 |
45 |
[1] |
46 |
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 |