Old habits die hard.
7 plus ones
Shared publicly•View activity
- Some promising news, y'all: Looks like the test might make it into OpenSSL.
https://groups.google.com/forum/#!topic/mailing.openssl.dev/k_oL10ysLUo https://groups.google.com/forum/#!topic/mailing.openssl.dev/N96KqJ6WgTsApr 14, 2014
- You wrote "While it is easier to write the test after knowing where to look for the bug...". Actually though, RFC 6520 provides a specification for that, and it has been there since version 04 for the draft RFC: "If the payload_length of a received HeartbeatMessage is too large, the received HeartbeatMessage MUST be discarded silently."May 2, 2014
- Hi, it's funny you mention that. I made several arguments before eventually looking at the spec and realized it said exactly that.
I'm writing a much longer article now that'll come out in the next couple of weeks that includes this reference to the spec. But all the other arguments, also included in this new article, are stronger for the challenge of not having the spec to fall back on to begin with.
Also, an OpenSSL update: https://github.com/openssl/openssl/pull/81 should go in very soon.May 2, 2014