https://issues.apache.org/bugzilla/show_bug.cgi?id=53899
MikeM <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |PatchAvailable --- Comment #6 from MikeM <[email protected]> --- As I understand it, BEAST itself is client based and as such the server can only mitigate the attack by offering ciphers which are not vulnerable (ie non-CBC ciphers). That said - given how beast works, by getting the client to send specific data and seeing the cipher text, I would imagine that it could be theoretically possible to send requests to a server constructed in such a way that returned packets could be used to do much the same this as BEAST does for outgoing data and packets. Regardless of BEAST or not, I have created the attached patch which can be applied to 2.5-dev, 2.4.4, 2.2.24 which creates a new option "SSLEnableEmptyFragments". This option allows one to remove the "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" flag from SSL_OP_ALL. Please consider this patch for inclusion into the tree. The usual caveats apply - OpenSSL indicate there might be compatibility issues with some clients... but hey :) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
