[Bug 53899] New: SSL_OP_ALL disables the mitigation code for CVE-2011-3389

bugzilla Tue, 18 Sep 2012 23:59:58 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=53899


          Priority: P2
            Bug ID: 53899
          Assignee: [email protected]
           Summary: SSL_OP_ALL disables the mitigation code for
                    CVE-2011-3389
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: [email protected]
          Hardware: PC
            Status: NEW
           Version: 2.5-HEAD
         Component: mod_ssl
           Product: Apache httpd-2

In modules/ssl/ssl_engine_init.c, the use of SSL_OP_ALL actually disables the
openssl feature that works around CVE-2011-3389 (the "BEAST").

Please change:
  SSL_CTX_set_options(ctx, SSL_OP_ALL);
to
  SSL_CTX_set_options(ctx, SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 53899] New: SSL_OP_ALL disables the mitigation code for CVE-2011-3389

Reply via email to