IETF Logo Mail Archive

[TLS] rfc 6520 TLS heartbeat feature

Jitendra Lulla <lullajd@yahoo.com> Wed, 06 December 2017 05:05 UTC

Return-Path: <lullajd@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00179129467 for <tls@ietfa.amsl.com>; Tue, 5 Dec 2017 21:05:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.489
X-Spam-Level: ***
X-Spam-Status: No, score=3.489 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuMRauBr4afS for <tls@ietfa.amsl.com>; Tue, 5 Dec 2017 21:05:58 -0800 (PST)
Received: from sonic306-2.consmr.mail.bf2.yahoo.com (sonic306-2.consmr.mail.bf2.yahoo.com [74.6.132.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B18D2128D6F for <tls@ietf.org>; Tue, 5 Dec 2017 21:05:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1512536757; bh=wl1s7HcALMNFe1IU70L3Mz1SnUFADAOR7GciwcNEIao=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=W4fGNAfKCa5sgAAdWldiFjUKPckrZReNAqYL44TllzerpFrQWno2NSOZrfILSL66WmhV/DGPsu7uAa9nW47Lm72+bJCN96QFdMR03R4HeMnrySXxCcPy6IqJo7f6HJSCT8ws3eOiW/s/lZWOX0HRznxDlaZgqhCU9Y3DKpsPyhMDHi7LLT7jk/S6J53/G8HR0gs1RlM0ryu4N0uvvIbVQZ44w6yW68iWY24rW25pjtVG06aFfu+fMcDpXfz34GJq2d/eHxz2SGB2JcHtYK5ppHcpDyUtSUybitrztvY+JJYF7dcaREWX7W+yRJPb5GnoQlrC+RCMPuibdwoxqlYF2w==
X-YMail-OSG: uxs67VAVM1lbbn4IS9EPPlA9whY7FOKb6D2dCBHyBElXUj4.HJ6AWaZ8e22wTsm Uvj.19wvEBPcm3DGQApu80L_i9BxDh3clp3pRm6jZWW4H9HrU67siGRGlCQeb8dZrWxVJinBpzno ZDaMYvJVe3wtK9B.d4tGpJXt4Z7603Z5RfK8ncJqiY.dbpNF.LZcYQfmWfJTjmKTGX0iTMI4w934 NWOU_gfl_K4ZT_Spjqky2v4I5drvvhPFDpk5tBINkdBJZwzCVBRDR9LYl7ECVJXensJ.kWnqTd0B EGFzIHXx6FjVcZgUNp3gNjGCow9XCY9T1CfcCcRKiVwM6JKdcaG70fcUvp0lFgQdBnugEw3dLNyL 0B2ntx2TJxwNs.6dRGO7hEJ6sENozV66IeLNi41dgSBLnT_OXcOwB8Hj8UVM2m.2q7bIciZ17Jko 3GxBtpGgnYMqcoIuLF91QoKPuY04MndU8O9uI2HfmksRZdXA51ljj.MSNq2dVJpDoY3MFQ0AMNcS y27NEuiqLhv61fpUNvXXftQs46PHL9cSVeN9.wu17hqVDW2Bs8E9u9ebWGAlw9O40RmhJ0_XN_8g WwkD0
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Wed, 6 Dec 2017 05:05:57 +0000
Date: Wed, 06 Dec 2017 05:05:52 +0000
From: Jitendra Lulla <lullajd@yahoo.com>
Reply-To: Jitendra Lulla <lullajd@yahoo.com>
To: tls@ietf.org
Message-ID: <1789795499.2668959.1512536752976@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
References: <1789795499.2668959.1512536752976.ref@mail.yahoo.com>
X-Mailer: WebService/1.1.11015 YahooMailBasic Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1VXN0mrj3sKlOJLw96FM7Fz95bE>
Subject: [TLS] rfc 6520 TLS heartbeat feature
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2017 05:06:00 -0000

Hi,

As tls 1.3 is being worked upon, older work like rfc 6520 and any enhancements to it may not be as important.

Also, particularly the TLS heartbeat feature, which has become famous for wrong reasons, is disabled by the SSL implementations eg OpenSSL.

I tried to uncover an issue below pertaining to the heartbeat messages here:

https://www.mail-archive.com/openssl-dev@openssl.org/msg47273.html

Experts struggle to find any significant use of this feature for both the TLS and DTLS. 

I am planning to propose enhancements which will include restricted issuance of the heartbeat requests (wrt size and frequency)  to avoid the exploit mentioned in the link above. A stronger standard will trigger bug/vulnerability free implementations. 

I would like to know if  enhancements to this rfc are welcomed or it is there to be abandoned completely? 

In other words, is it worth spending time?

Thanks
Jitendra

v2.23.0 | Report a Bug | By Email