[PATCH] slaying the BEAST (TLS 1.0 exploiting)

Maxim Dounin mdounin at mdounin.ru
Sat Oct 1 09:50:57 UTC 2011


Hello!

On Sat, Oct 01, 2011 at 07:52:37AM +0200, Srebrenko Šehić wrote:

> Hi,
> 
> You've probably heard it already. SSL was hacked and broken. You can
> read about it at
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/.
> Some more commentary at
> http://blogs.cisco.com/security/beat-the-beast-with-tls/
> 
> As it turns out, OpenSSL people implemented a fix for this almost 10
> years ago. Details at http://www.openssl.org/~bodo/tls-cbc.txt
> 
> Attached is a patch against 1.0.6 which introduces
> "ssl_dont_insert_empty_fragments" flag to control whether this
> workaround is enabled or not. Currently, it was hardcoded to disabled.
> This patch makes it optional.
> 
> Note: this patch breaks certain old browsers which choke on the
> workaround. This was tested with IE6.
> 
> Comments?

The patch won't help to stop BEAST (CVE-2011-3389), you need fix 
on *client* side to stop it.  More details about the attack 
may be found here:

http://vnhacker.blogspot.com/2011/09/beast.html
https://bugzilla.mozilla.org/show_bug.cgi?id=665814

The only server-side workaround I'm currently aware of is using 
non-CBC ciphers, i.e.

    ssl_ciphers RC4-SHA;

(Of course migrating to the TLS 1.1+ is a better option, but it's 
not yet here.)

For OpenSSL's "insert empty fragments" workaround on a server 
side, situation hasn't changed much since 2003: there is problem, 
there are no known attacks, and workaround causes major 
interoperability problems.

(Probably working on better workaround in OpenSSL would be a good 
idea. It looks like Chrome's one-byte one causes much less 
problems.)

Maxim Dounin



More information about the nginx-devel mailing list