|Summary:||SSL_OP_ALL disables the mitigation code for CVE-2011-3389|
|Product:||Apache httpd-2||Reporter:||Joe Julian <me>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
patch specifically for 2.4.4
2.5-dev patch for code only
patch for 2.5-dev including a documentation update
Description Joe Julian 2012-09-19 06:59:31 UTC
In modules/ssl/ssl_engine_init.c, the use of SSL_OP_ALL actually disables the openssl feature that works around CVE-2011-3389 (the "BEAST"). Please change: SSL_CTX_set_options(ctx, SSL_OP_ALL); to SSL_CTX_set_options(ctx, SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
Comment 1 Stefan Fritsch 2012-10-03 08:19:45 UTC
It is my understanding that the BEAST work around needs to be enabled on the client to have any effect. So for httpd, this is only a problem with outgoing https proxy connections. Correct?
Comment 2 MikeM 2013-06-23 23:08:58 UTC
Created attachment 30476 [details] patch specifically for 2.4.4 This patch is a patch for the 2.4.4 code tree. It does not include a documentation update.
Comment 3 MikeM 2013-06-23 23:09:24 UTC
Created attachment 30477 [details] 2.5-dev patch for code only
Comment 4 MikeM 2013-06-23 23:09:57 UTC
Created attachment 30478 [details] patch for 2.5-dev including a documentation update
Comment 5 MikeM 2013-06-23 23:11:01 UTC
Note - the three patches are the same code. The 2.5-dev code only one applied against 2.5-dev, 2.4.4 and 2.2.24 successfully. I did not test the documentation one against anything but 2.5-dev.
Comment 6 MikeM 2013-06-23 23:12:34 UTC
As I understand it, BEAST itself is client based and as such the server can only mitigate the attack by offering ciphers which are not vulnerable (ie non-CBC ciphers). That said - given how beast works, by getting the client to send specific data and seeing the cipher text, I would imagine that it could be theoretically possible to send requests to a server constructed in such a way that returned packets could be used to do much the same this as BEAST does for outgoing data and packets. Regardless of BEAST or not, I have created the attached patch which can be applied to 2.5-dev, 2.4.4, 2.2.24 which creates a new option "SSLEnableEmptyFragments". This option allows one to remove the "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" flag from SSL_OP_ALL. Please consider this patch for inclusion into the tree. The usual caveats apply - OpenSSL indicate there might be compatibility issues with some clients... but hey :)