For instance, with apache mod_ssl, I can configure a range of options that affect SSL, such as the Cipher Suites available.Ĭompile Flags vs Configuration Options - TLS Heartbeat To clarify - by configuration I don't mean the configuration when compiling OpenSSL. Having to revoke and replace SSL certificates is a secondary consequence of this vulnerability, among other concerns with regards to what type of data (usernames, passwords, session info.) could have been leaked from application memory. This could have easily been addressed with a configuration option. The primary problem here is that the vulnerability allowed anyone to pull 64 KB of application memory from a vulnerable server. To clarify, everyone affected needs to revoke and replace affected SSL certificates. Searching through Apache mod_ssl and Nginx HttpSslModule documentation I didn't see anything that would allow me to disable the Heartbeat functionality via configuration. My best guess that this is a high performance library and as a library by it's nature does not have a configuration file as services do. Why does a system administrator have to recompile the library to disable an extension? Why isn't there a configuration option? Would have made a short term remediation much easier. One of the possible mitigation steps is to recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option to disable the vulnerable extension. In case you missed it - an OpenSSL vulnerability in the implementation of the TLS Heartbeat Extension has been making the rounds.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |