Project

General

Profile

Bug #2492

closed

openssl beast workaround disabled in 1.4.32

Added by betelgeuse over 7 years ago. Updated about 7 years ago.

Status:
Fixed
Priority:
Normal
Category:
-
Target version:
ASK QUESTIONS IN Forums:

Description

https://issues.apache.org/bugzilla/show_bug.cgi?id=53899

lighttpd is setting the same SSL_OP_ALL so beast mitigation is not on.

long ssloptions =
SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;

I checked trunk and there the option is not set on so hopefully just a matter of backporting.

#1

Updated by stbuehler over 7 years ago

  • Priority changed from Urgent to Normal
  • Target version set to 1.4.33

svn trunk is "dead". For beast mitigation we recommend using TLS1.1+ or preferring RC4 (after TLS1.1+ ciphers) as cipher, see the 1.4.30 release announcement

As some implementations can't handle the empty fragment workaround I'm not sure I even want to change that. Afaics apache only added an option to reenable the workaround, not making it the default.

Perhaps we'll add an option too, but right now I don't think it will be active by default.

#2

Updated by stbuehler about 7 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2891.

Also available in: Atom