Ø I get the heartbeating message on both unpatched and patched servers.
Should that make me worry about the patched machines?
Not necessarily. If they updated to the 'g' release, then they are doing
buffer-overrun checking and you're safe. You can probably find out by
connecting to your server (via s_client again) and seeing what it says in the
server line, as in
echo HEAD / HTTP/1.0 | openssl s_client -connect $HOST:$PORT
The server usually says things like "apache/2.0 openssl/1.0.1g ..." and other
modules that are bundled in.
To be safest, heartbeats should just be disabled. Nobody really uses them.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
