What are SSL heartbeats?

user193130 picture user193130 · Apr 10, 2014 · Viewed 15.2k times · Source

With all the chatter going on about the heartbleed bug, it's hard to find information on what exactly the exploited heartbeat extension for OpenSSL is used for.

Also, is it possible to disable it for Apache w/ mod_ssl without recompling with the -DOPENSSL_NO_HEARTBEATS flag as suggested @ http://heartbleed.com/?

Answer

pyramids picture pyramids · Apr 10, 2014

Heartbeat is an echo functionality where either side (client or server) requests that a number of bytes of data that it sends to the other side be echoed back. The idea appears to be that this can be used as a keep-alive feature, with the echo functionality presumably meant to allow verifying that both ends continue to correctly handle encryption and decryption. The problem, of course, is that until the recent patch, OpenSSL did not guard against sending back more data than was provided in the first place. I'm not really aware of where the heartbeat extension is actually used in an application since most communication that requires it (e.g. websockets) rely on their own keep-alive features implemented on a higher level.

I can't answer your second question---but it would surprise me if the answer was yes.