[gnutls-devel] An (historical) heartbeat.c issue more relevant to Heartbleed
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sat Apr 12 09:00:08 CEST 2014
On Sat, Apr 12, 2014 at 8:37 AM, Peter Dettman
<peter.dettman at bouncycastle.org> wrote:
> The previous commit also introduced the ability to disable heartbeats when
> building, but AFAICT, they remained enabled by default. At a cursory
> analysis, the affected releases are/were: 3.1.7, 3.1.8, 3.1.9, 3.1.10. Those
> presently scouring their logs for evidence of the Heartbleed attack in the
> wild may need to take this into account.
Hello,
I have not yet checked in detail, but note that heartbeats even if
compiled in gnutls, they remain disabled by default unless an
application explicitly enables them. Given that there is no need for
heartbeats in TLS I doubt that there is any application enabling them.
So it seems that these versions of gnutls are usable/broken in respect
to heartbeats, and if anyone would have used this broken version of
gnutls to debug openssl heartbeats he may have uncovered the bug :)
regards,
Nikos
More information about the Gnutls-devel
mailing list