Bug 53899 - SSL_OP_ALL disables the mitigation code for CVE-2011-3389
Summary: SSL_OP_ALL disables the mitigation code for CVE-2011-3389
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal with 4 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2012-09-19 06:59 UTC by Joe Julian
Modified: 2013-06-23 23:12 UTC (History)
1 user (show)

patch specifically for 2.4.4 (4.89 KB, patch)
2013-06-23 23:08 UTC, MikeM
Details | Diff
2.5-dev patch for code only (4.89 KB, patch)
2013-06-23 23:09 UTC, MikeM
Details | Diff
patch for 2.5-dev including a documentation update (25.86 KB, patch)
2013-06-23 23:09 UTC, MikeM
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Julian 2012-09-19 06:59:31 UTC
In modules/ssl/ssl_engine_init.c, the use of SSL_OP_ALL actually disables the openssl feature that works around CVE-2011-3389 (the "BEAST").

Please change:
  SSL_CTX_set_options(ctx, SSL_OP_ALL);
Comment 1 Stefan Fritsch 2012-10-03 08:19:45 UTC
It is my understanding that the BEAST work around needs to be enabled on the client to have any effect. So for httpd, this is only a problem with outgoing https proxy connections. Correct?
Comment 2 MikeM 2013-06-23 23:08:58 UTC
Created attachment 30476 [details]
patch specifically for 2.4.4

This patch is a patch for the 2.4.4 code tree. It does not include a documentation update.
Comment 3 MikeM 2013-06-23 23:09:24 UTC
Created attachment 30477 [details]
2.5-dev patch for code only
Comment 4 MikeM 2013-06-23 23:09:57 UTC
Created attachment 30478 [details]
patch for 2.5-dev including a documentation update
Comment 5 MikeM 2013-06-23 23:11:01 UTC
Note - the three patches are the same code. The 2.5-dev code only one applied against 2.5-dev, 2.4.4 and 2.2.24 successfully.

I did not test the documentation one against anything but 2.5-dev.
Comment 6 MikeM 2013-06-23 23:12:34 UTC
As I understand it, BEAST itself is client based and as such the server can only mitigate the attack by offering ciphers which are not vulnerable (ie non-CBC ciphers).

That said - given how beast works, by getting the client to send specific data and seeing the cipher text, I would imagine that it could be theoretically possible to send requests to a server constructed in such a way that returned packets could be used to do much the same this as BEAST does for outgoing data and packets.

Regardless of BEAST or not, I have created the attached patch which can be applied to 2.5-dev, 2.4.4, 2.2.24 which creates a new option "SSLEnableEmptyFragments". This option allows one to remove the "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" flag from SSL_OP_ALL.

Please consider this patch for inclusion into the tree. 

The usual caveats apply - OpenSSL indicate there might be compatibility issues with some clients... but hey :)