Re: [TLS] DTLS RRC and heartbeat

Hanno Böck <> Thu, 21 October 2021 14:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 62C163A172A for <>; Thu, 21 Oct 2021 07:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.685
X-Spam-Level: **
X-Spam-Status: No, score=2.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_BULK_SIG=1.774, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UIQ_f6fUCFbE for <>; Thu, 21 Oct 2021 07:30:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 86B173A175E for <>; Thu, 21 Oct 2021 07:30:31 -0700 (PDT)
Date: Thu, 21 Oct 2021 16:30:27 +0200
From: Hanno Böck <>
Message-ID: <20211021163027.2dd6c9a5@computer>
In-Reply-To: <>
References: <>
X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] DTLS RRC and heartbeat
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Oct 2021 14:30:44 -0000

On Thu, 21 Oct 2021 10:35:54 +0100
Thomas Fossati <> wrote:

> One problem is - as Hannes put it - that heartbeat has a "somewhat
> tricky history", making its marketing a slightly intricate operation,
> and the code reuse story a bit more complicated than desired (see for
> example [3]).

I think there were a few things that went spectacularly wrong with the
original heartbeat extension. Some of them are implementation issues
(like merging code without proper review and testing), but others are in
the spec itself.

I think this boils down to two things that added unnecessary
complexity, which is always bad in security:
1. The use cases were all UDP, but the extension was defined for both
   UDP and TCP for no good reason.
2. The extension contained a completely unnecessary length-encoded
   message that was sent forth and back. That's a very risky
   construction in terms of memory safety.

I feel this may be enough justification to define a hearbeat-simplified
spec that doesn't have these problems.
If you decide to go with the old heartbeat extension then I'd still
wish you at least adress 1. I think many people have just compiled
openssl without heartbeat, which is a good thing as long as it's not
used anyway. If it gets used in DTLS then at least make sure that
doesn't mean it also has to be enabled in TCP-based normal TLS at the
same time.

Hanno Böck