如果用户没有客户端证书,那么设置为需要客户端证书的服务器是否就不会受到 Heartbleed 漏洞的影响?
答案1
从RFC 6520:
A HeartbeatRequest message can arrive almost at any time during the
lifetime of a connection. Whenever a HeartbeatRequest message is
received, it SHOULD be answered with a corresponding
HeartbeatResponse message.
我相信这意味着它可能发生在 TLS 的“hello”阶段,客户端和服务器正在交换证书,即在服务器可以根据证书或缺少证书对客户端说“不”之前。