Heartbeats after handshake

[Lekensteyn]

Right the output is not particularly interesting. Perhaps the output could be made more interesting by sending an encrypted heartbeat after he handshake? That would as well allow for repeated heartbeats without tearing down the connection.

I have already tried to sent an unencrypted heartbeat during the handshake (before the server ChangeCipherSpec), but these attempts fail. Need to put a closer look at the openssl code.

[Lekensteyn]

It is possible that the output was not interesting because curl, wget and openssl s_client are small utilities with no(t much) dynamically allocated memory. In that case, another larger application must be tested (any web browsers, mail clients or other targets that use openssl?)

[pietsch]

The textmode browser Links 2.8 provokes a rather long hexdump. Try:

links2 -dump https://localhost:4433

I tried this on a Debian based system (current LMDE 32 bit) that links links2 against OpenSSL 1.0.1e-4.

[Lekensteyn]

@pietsch Confirmed! Links is a great example of a client that would severely be impacted. I can see the full pages of previous visits. (links https://google.com, Esc, g, https://127.1:4433).

On topic about this bug, someone has written a Metasploit module that does exactly what was suggested in this issue: complete the handshake, start sending heartbeats:

• http://security.stackexchange.com/a/55295/2630
• rapid7/metasploit-framework@f56f34f