Bug #5353
closedTLS v1.0 and less - Attack on CBC mode
Description
A well-known vulnerability of TLS v1.0 and earlier has recently gained some attention:
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Although this has been known for a long time (http://www.openssl.org/~bodo/tls-cbc.txt),
and a fix for this has been provided, in reality most applications seem to be working with
SSL_OP_ALL
which is a flag that enables some bug workarounds that were considered harmless.
We, too, use this in ossl_sslctx_s_alloc(VALUE klass) in ossl_ssl.c. Unfortunately,
this flag also includes
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
which disables the fix for the "CBC vulnerability". Here is what a comment says
about the flag (OpenSSL 1.0.0d)
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
* the workaround is not needed. Unfortunately some broken SSL/TLS
* implementations cannot handle it at all, which is why we include
* it in SSL_OP_ALL. */
If I understand http://www.openssl.org/~bodo/tls-cbc.txt correctly, the most
notable implementation that does not play well with these empty fragments
was (is?) IE - I don't know how this has evolved over time, I would have to
research further.
An easy fix for the situation would be to discard SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
but this would risk affecting existing installations.
What do you propose? Should we solve this before the 1.9.3 release?
(PS: The actual attack and fix are outlined in
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf
The attack to be presented by Thai Duong and Juliano Rizzo at
http://ekoparty.org/cronograma.php (caution: currently the site is victim to the "reddit effect")
is very likely to be based on what was already known and should therefore hopefully
require no further fixes.)