Issue #5353 has been updated by Koichi Sasada.

Status changed from Open to Assigned
Assignee set to Hiroshi Nakamura


----------------------------------------
Bug #5353: TLS v1.0 and less - Attack on CBC mode
https://bugs.ruby-lang.org/issues/5353

Author: Martin Bosslet
Status: Assigned
Priority: High
Assignee: Hiroshi Nakamura
Category: ext
Target version: 2.0.0
ruby -v: -


A well-known vulnerability of TLS v1.0 and earlier has recently gained some attention:

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Although this has been known for a long time (http://www.openssl.org/~bodo/tls-cbc.txt),
and a fix for this has been provided, in reality most applications seem to be working with

SSL_OP_ALL

which is a flag that enables some bug workarounds that were considered harmless. 

We, too, use this in ossl_sslctx_s_alloc(VALUE klass) in ossl_ssl.c. Unfortunately, 
this flag also includes

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

which disables the fix for the "CBC vulnerability". Here is what a comment says 
about the flag (OpenSSL 1.0.0d)

    /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
     * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
     * the workaround is not needed.  Unfortunately some broken SSL/TLS
     * implementations cannot handle it at all, which is why we include
     * it in SSL_OP_ALL. */

If I understand http://www.openssl.org/~bodo/tls-cbc.txt correctly, the most
notable implementation that does not play well with these empty fragments
was (is?) IE - I don't know how this has evolved over time, I would have to 
research further.

An easy fix for the situation would be to discard SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
but this would risk affecting existing installations.

What do you propose? Should we solve this before the 1.9.3 release? 

(PS: The actual attack and fix are outlined in 

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf

The attack to be presented by Thai Duong and Juliano Rizzo at 

http://ekoparty.org/cronograma.php (caution: currently the site is victim to the "reddit effect")

is very likely to be based on what was already known and should therefore hopefully
require no further fixes.) 

 


-- 
http://bugs.ruby-lang.org/