Is it true that a server, setup to require a client certificate, cannot suffer from the Heartbleed vulnerability, if that user does not have a client certificate?
Asked
Active
Viewed 81 times
1 Answers
1
From RFC 6520:
A HeartbeatRequest message can arrive almost at any time during the
lifetime of a connection. Whenever a HeartbeatRequest message is
received, it SHOULD be answered with a corresponding
HeartbeatResponse message.
I believe this implies it could happen during the "hello" phase of TLS where client and server are exchanging certificates, i.e. before the server can say "no" to the client based on the certificate, or lack thereof.
