[PATCH] slaying the BEAST (TLS 1.0 exploiting)

Srebrenko Šehić ssehic at gmail.com
Sat Oct 1 05:52:37 UTC 2011


You've probably heard it already. SSL was hacked and broken. You can
read about it at
Some more commentary at

As it turns out, OpenSSL people implemented a fix for this almost 10
years ago. Details at http://www.openssl.org/~bodo/tls-cbc.txt

Attached is a patch against 1.0.6 which introduces
"ssl_dont_insert_empty_fragments" flag to control whether this
workaround is enabled or not. Currently, it was hardcoded to disabled.
This patch makes it optional.

Note: this patch breaks certain old browsers which choke on the
workaround. This was tested with IE6.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-ssl_dont_insert_fragments.patch
Type: text/x-patch
Size: 2748 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20111001/84984dba/attachment.bin>

More information about the nginx-devel mailing list