Welcome! Log In Create A New Profile

Advanced

[PATCH] slaying the BEAST (TLS 1.0 exploiting)

Srebrenko Šehić
October 01, 2011 01:54AM
Hi,

You've probably heard it already. SSL was hacked and broken. You can
read about it at
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/.
Some more commentary at
http://blogs.cisco.com/security/beat-the-beast-with-tls/

As it turns out, OpenSSL people implemented a fix for this almost 10
years ago. Details at http://www.openssl.org/~bodo/tls-cbc.txt

Attached is a patch against 1.0.6 which introduces
"ssl_dont_insert_empty_fragments" flag to control whether this
workaround is enabled or not. Currently, it was hardcoded to disabled.
This patch makes it optional.

Note: this patch breaks certain old browsers which choke on the
workaround. This was tested with IE6.

Comments?

Cheers,
Srebrenko
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] slaying the BEAST (TLS 1.0 exploiting)

Srebrenko Šehić 3574 October 01, 2011 01:54AM

Re: [PATCH] slaying the BEAST (TLS 1.0 exploiting)

Maxim Dounin 2575 October 01, 2011 05:52AM

Re: [PATCH] slaying the BEAST (TLS 1.0 exploiting)

Srebrenko Šehić 849 October 02, 2011 09:32AM

Re: [PATCH] slaying the BEAST (TLS 1.0 exploiting)

Maxim Dounin 988 October 02, 2011 10:40AM

Re: [PATCH] slaying the BEAST (TLS 1.0 exploiting)

Srebrenko Šehić 1857 October 02, 2011 01:30PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 104
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready