httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53899] New: SSL_OP_ALL disables the mitigation code for CVE-2011-3389
Date Wed, 19 Sep 2012 06:59:31 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53899

          Priority: P2
            Bug ID: 53899
          Assignee: bugs@httpd.apache.org
           Summary: SSL_OP_ALL disables the mitigation code for
                    CVE-2011-3389
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: me@joejulian.name
          Hardware: PC
            Status: NEW
           Version: 2.5-HEAD
         Component: mod_ssl
           Product: Apache httpd-2

In modules/ssl/ssl_engine_init.c, the use of SSL_OP_ALL actually disables the
openssl feature that works around CVE-2011-3389 (the "BEAST").

Please change:
  SSL_CTX_set_options(ctx, SSL_OP_ALL);
to
  SSL_CTX_set_options(ctx, SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message