TLS v1.0 and less - Attack on CBC mode
A well-known vulnerability of TLS v1.0 and earlier has recently gained some attention:
Although this has been known for a long time (http://www.openssl.org/~bodo/tls-cbc.txt),
and a fix for this has been provided, in reality most applications seem to be working with
which is a flag that enables some bug workarounds that were considered harmless.
We, too, use this in ossl_sslctx_s_alloc(VALUE klass) in ossl_ssl.c. Unfortunately,
this flag also includes
which disables the fix for the "CBC vulnerability". Here is what a comment says
about the flag (OpenSSL 1.0.0d)
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS * implementations cannot handle it at all, which is why we include * it in SSL_OP_ALL. */
If I understand http://www.openssl.org/~bodo/tls-cbc.txt correctly, the most
notable implementation that does not play well with these empty fragments
was (is?) IE - I don't know how this has evolved over time, I would have to
An easy fix for the situation would be to discard SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
but this would risk affecting existing installations.
What do you propose? Should we solve this before the 1.9.3 release?
(PS: The actual attack and fix are outlined in
The attack to be presented by Thai Duong and Juliano Rizzo at
http://ekoparty.org/cronograma.php (caution: currently the site is victim to the "reddit effect")
is very likely to be based on what was already known and should therefore hopefully
require no further fixes.)