Skip Menu |
 
Ticket metadata
The Basics
Id: 2658
Status: resolved
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Stephen Henson
Requestors: Robin Seggelmann
Cc:
AdminCc:

More about the requestors

Robin Seggelmann

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Unprivileged
  • Everyone

New reminder:
Subject:
Owner:
Due:

Dates
Created: Thu Dec 15 20:04:56 2011
Starts: Not set
Started: Not set
Last Contact: Mon Dec 26 19:25:04 2011
Due: Not set
Closed: Wed Aug 27 03:32:21 2014
Updated: Wed Aug 27 03:32:21 2014 by Rich Salz



Subject: [PATCH] Add TLS/DTLS Heartbeats
Date: Thu, 15 Dec 2011 17:00:59 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 807b
This patch adds TLS/DTLS Heartbeats, as described in tools.ietf.org/html/draft-ietf-tls-dtls-heartbeat

Heartbeats can be sent any time when no handshake is in progress to check the availability of the peer. The retransmission feature of DTLS is used to repeat lost Heartbeats. If no response is received, the peer is considered unavailable and an SSL timeout error occurs. Heartbeats can be sent with SSL_heartbeat() and SSL_heartbeat_pending() can be used to check if one is still in flight. The option SSL_OP_NO_HB_REQUEST can be set to not allow the peer to send HeartbeatRequests, which is useful for devices powered with a battery.

This is a preliminary version, because the IANA has not yet assigned the necessary numbers for the Heartbeat protocol and the Hello extensions.

Best regards
Robin
This patch adds TLS/DTLS Heartbeats, as described in tools.ietf.org/html/draft-ietf-tls-dtls-heartbeat

Heartbeats can be sent any time when no handshake is in progress to check the availability of the peer. The retransmission feature of DTLS is used to repeat lost Heartbeats. If no response is received, the peer is considered unavailable and an SSL timeout error occurs. Heartbeats can be sent with SSL_heartbeat() and SSL_heartbeat_pending() can be used to check if one is still in flight. The option SSL_OP_NO_HB_REQUEST can be set to not allow the peer to send HeartbeatRequests, which is useful for devices powered with a battery.

This is a preliminary version, because the IANA has not yet assigned the necessary numbers for the Heartbeat protocol and the Hello extensions.

Best regards
Robin




Download dtls-tls-heartbeats-1.0.1.patch
application/octet-stream 25.8k

Message body not shown because it is not plain text.

Subject: Re: [openssl.org #2658] [PATCH] Add TLS/DTLS Heartbeats
Date: Tue, 20 Dec 2011 12:49:57 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 134b
Here is an updated version with the numbers for the Heartbeat Protocol and the Hello Extension assigned by IANA.

Best regards
Robin
Here is an updated version with the numbers for the Heartbeat Protocol and the Hello Extension assigned by IANA.

Best regards
Robin

Download dtls-tls-heartbeats-1.0.1.patch
application/octet-stream 25.7k

Message body not shown because it is not plain text.

Subject: Re: [openssl.org #2658] [PATCH] Add TLS/DTLS Heartbeats
Date: Fri, 23 Dec 2011 09:04:48 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 100b
Updated version with less defines and without breaking binary compatibility.

Best regards
Robin
Download dtls-tls-heartbeats-1.0.1.patch
application/octet-stream 25.7k

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 1.2k
Show quoted text
> [seggelmann@fh-muenster.de - Fri Dec 23 09:04:52 2011]:
>
> Updated version with less defines and without breaking binary
compatibility.
Show quoted text
>

Thank you. We've only got one SSL_OP flag left. Would it be possible to
use an alternative to SSL_OP_NO_HB_REQUEST? For example a ctrl and using
a bit in s->tlsext_heartbeat?

In ssl_parse_serverhello_tlsext() and the heartbeat extension is absent
should s->tlsext_heartbeat be set to an appropriate value?

Reading through the draft specification it isn't clear to me how the
heartbeat extension interacts with sessions. Section 2 does say "This
decision can be changed with every renegotiation." but it isn't clear
how resumed sessions are treated.

In other words for a resumed session should the heartbeat extension in
the client hello be recognised or should the value from the initial
session be used? If the latter then the heartbeat value from the
original session needs to be stored in the SSL_SESSION structure.

Minor code nitpick. There are several unnecessary "& 0xff" operations in
the patch for fields which can never exceed 0xff or which are always
less than 0xff (e.g. data[0], 0x02)

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Subject: Re: [openssl.org #2658] [PATCH] Add TLS/DTLS Heartbeats
Date: Tue, 27 Dec 2011 18:26:36 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 314b
New version with less binary operations.

SSL_OP_NO_HB_REQUEST is replaced with SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS and the alias SSL_set_tlsext_heartbeat_no_requests(ssl, arg).

SSL_heartbeat_pending(ssl) is replaced with SSL_get_tlsext_heartbeat_pending(ssl) for consistency's sake.

Best regards
Robin
Download dtls-tls-heartbeats-1.0.1.patch
application/octet-stream 26.7k

Message body not shown because it is not plain text.

Subject: Re: [openssl.org #2658] [PATCH] Add TLS/DTLS Heartbeats
Date: Wed, 28 Dec 2011 00:23:39 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Remove more unnecessary binary operations.

Best regards
Robin
Download dtls-tls-heartbeats-1.0.1.patch
application/octet-stream 26.7k

Message body not shown because it is not plain text.

Subject: Re: [openssl.org #2658] [PATCH] Add TLS/DTLS Heartbeats
Date: Fri, 30 Dec 2011 12:19:39 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 144b
A new version with auto-generated error codes (instead adding them manually) and improved extension state initialization.

Best regards
Robin
Download dtls-tls-heartbeats-1.0.1.patch
application/octet-stream 28k

Message body not shown because it is not plain text.

no comment.