MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.

commit: f51c6989b008a4293e2fa0a18c10290499bf020a [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Fri Apr 25 20:02:39 2014 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Apr 25 20:06:33 2014 +0200
tree: cdc59956152dbb9e767c5719fd95628ea7ece863
parent: 29f037d872198a75880e0816f40b15f4144956dc [diff] [blame]
diff --git a/include/types/connection.h b/include/types/connection.h
index 84248c9..83ac432 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h

@@ -163,7 +163,8 @@
 	CO_ER_SSL_CRT_FAIL,     /* client cert verification failed on the certificate */
 	CO_ER_SSL_HANDSHAKE,    /* SSL error during handshake */
 	CO_ER_SSL_HANDSHAKE_HB, /* SSL error during handshake with heartbeat present */
-	CO_ER_SSL_NO_TARGET,    /* unkonwn target (not client nor server) */
+	CO_ER_SSL_KILLED_HB,    /* Stopped a TLSv1 heartbeat attack (CVE-2014-0160) */
+	CO_ER_SSL_NO_TARGET,    /* unknown target (not client nor server) */
 };
 
 /* source address settings for outgoing connections */
commit	f51c6989b008a4293e2fa0a18c10290499bf020a	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Fri Apr 25 20:02:39 2014 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Apr 25 20:06:33 2014 +0200
tree	cdc59956152dbb9e767c5719fd95628ea7ece863
parent	29f037d872198a75880e0816f40b15f4144956dc [diff] [blame]