[PATCH] slaying the BEAST (TLS 1.0 exploiting)

Srebrenko Šehić ssehic at gmail.com
Sat Oct 1 05:52:37 UTC 2011


Hi,

You've probably heard it already. SSL was hacked and broken. You can
read about it at
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/.
Some more commentary at
http://blogs.cisco.com/security/beat-the-beast-with-tls/

As it turns out, OpenSSL people implemented a fix for this almost 10
years ago. Details at http://www.openssl.org/~bodo/tls-cbc.txt

Attached is a patch against 1.0.6 which introduces
"ssl_dont_insert_empty_fragments" flag to control whether this
workaround is enabled or not. Currently, it was hardcoded to disabled.
This patch makes it optional.

Note: this patch breaks certain old browsers which choke on the
workaround. This was tested with IE6.

Comments?

Cheers,
Srebrenko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-ssl_dont_insert_fragments.patch
Type: text/x-patch
Size: 2748 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20111001/84984dba/attachment.bin>


More information about the nginx-devel mailing list