Max Rottenkolber max@mr.gy writes:
On Wed, 23 Apr 2014 20:39:48 +0200, Pascal J. Bourguignon wrote:
When a HeartbeatRequest message is received and sending a HeartbeatResponse is not prohibited as described elsewhere in this document, the receiver MUST send a corresponding HeartbeatResponse message carrying AN EXACT COPY OF THE PAYLOAD of the received HeartbeatRequest.
I didn't mean to dispute that CL is a safer language. My point is that, as an implementer, the above paragraph in an SSL protocol extension should raise red lights.
What is the function of the described behavior? Why would I want to echo back data in context of a keep alive? A: None. You don't want to do that.
You want to make sure that the answer you get corresponds to the request you sent.
You could use a counter, but it would be too easy to simulate it on the other end.
If you send random data, and compare the returned data, you make sure that there's something alive on the other end that can receive your message and respond to them, not a dead process sending fixed or previsible packets.