Is it true that a server, setup to require a client certificate, cannot suffer from the Heartbleed vulnerability, if that user does not have a client certificate?
Asked
Active
Viewed 71 times
1
-
HeartBleed was/is primarly a server vulerability. The client would only be vulerable if there was a vulerable version of OpenSSL on the client device. Likewise even if the client was patched if the server was vulerable the exploit could still be abused provided the server was configured to response to HeatbeatRequest messages. – Ramhound Sep 08 '14 at 11:03
-
Why I am asking is that no tester I have found seem capable of testing a server that requires a client certificate. It can't see to get through the negotiation phase far enough to ever be able to use heartbleed. – Mundi Sep 10 '14 at 09:35
1 Answers
1
From RFC 6520:
A HeartbeatRequest message can arrive almost at any time during the
lifetime of a connection. Whenever a HeartbeatRequest message is
received, it SHOULD be answered with a corresponding
HeartbeatResponse message.
I believe this implies it could happen during the "hello" phase of TLS where client and server are exchanging certificates, i.e. before the server can say "no" to the client based on the certificate, or lack thereof.
-
1One should point out. If you configure your server not to response to the HeartbeatRequest message any vulerability with the message itself, cannot be exploited. – Ramhound Sep 08 '14 at 11:02