From: Koichi Sasada Date: 2012-03-11T15:51:02+09:00 Subject: [ruby-core:43184] [ruby-trunk - Bug #5353][Assigned] TLS v1.0 and less - Attack on CBC mode Issue #5353 has been updated by Koichi Sasada. Status changed from Open to Assigned Assignee set to Hiroshi Nakamura ---------------------------------------- Bug #5353: TLS v1.0 and less - Attack on CBC mode https://bugs.ruby-lang.org/issues/5353 Author: Martin Bosslet Status: Assigned Priority: High Assignee: Hiroshi Nakamura Category: ext Target version: 2.0.0 ruby -v: - A well-known vulnerability of TLS v1.0 and earlier has recently gained some attention: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ Although this has been known for a long time (http://www.openssl.org/~bodo/tls-cbc.txt), and a fix for this has been provided, in reality most applications seem to be working with SSL_OP_ALL which is a flag that enables some bug workarounds that were considered harmless. We, too, use this in ossl_sslctx_s_alloc(VALUE klass) in ossl_ssl.c. Unfortunately, this flag also includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS which disables the fix for the "CBC vulnerability". Here is what a comment says about the flag (OpenSSL 1.0.0d) /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS * implementations cannot handle it at all, which is why we include * it in SSL_OP_ALL. */ If I understand http://www.openssl.org/~bodo/tls-cbc.txt correctly, the most notable implementation that does not play well with these empty fragments was (is?) IE - I don't know how this has evolved over time, I would have to research further. An easy fix for the situation would be to discard SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but this would risk affecting existing installations. What do you propose? Should we solve this before the 1.9.3 release? (PS: The actual attack and fix are outlined in http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf The attack to be presented by Thai Duong and Juliano Rizzo at http://ekoparty.org/cronograma.php (caution: currently the site is victim to the "reddit effect") is very likely to be based on what was already known and should therefore hopefully require no further fixes.) -- http://bugs.ruby-lang.org/