On 9/23/2011 8:53 AM, Sander Temme wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 22, 2011, at 6:56 AM, Johan van Selst wrote:
Mounir IDRASSI wrote:
So, an OpenSSL based web server is immune from this attack, unless it
uses the flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
Which is exactly what Apache and some other popular applications seem to
be doing. Maybe this flag should not be included in SSL_OP_ALL after all.
Do you have a patch for Apache?
Any of the "some broken SSL/TLS implementations" still in widespread use?
S.
According to the docs, this bug IS in openssl, specifically, the openssl
documentation says the following (in SSL_CTX_set_options.pod):
DOC> =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
DOC>
DOC> Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
DOC> vulnerability affecting CBC ciphers, which cannot be handled by some
DOC> broken SSL implementations. This option has no effect for connections
DOC> using other ciphers.
DOC>
DOC> =item SSL_OP_ALL
DOC>
DOC> All of the above bug workarounds.
DOC>
DOC> =back
DOC>
DOC> It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround
DOC> options if compatibility with somewhat broken implementations is
DOC> desired.
DOC>
Thus the project is explicitly telling library users that this is a safe
to do, which it apparently isn't.
On the other hand the same document claims that setting
SSL_OP_SINGLE_DH_USE is not safe, but should always be done to be safe????
And then there are a bunch of undocumented SSL_OP_ constants listed (they
are listed, but have no explanation in SSL_CTX_set_options.pod).
If the "some broken SSL implementations" are now rare, I suggest the
following changes to openssl:
1. Change the bit assigned to SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to a
value outside the SSL_OP_ALL bitmask (so upgrading a shared library
openssl will pick up the change without application recompilation).
2. Change the name of this define slightly (so applications that
cut/pasted from the description of SSL_OP_ALL in order to omit another
bit will not pick up the new bit from a recompilation).
3. Document these changes in SSL_CTX_set_options.pod and CHANGES so
application developers don't reuse the old bad advice and affected
application developers know why references to the old name fail.
P.S.
Is openssl running out of bit values for SSL_OP_ constants?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
