[Bug 64434] New: Implement TLS 1.3 random record padding to mitigate BREACH

bugzilla Wed, 13 May 2020 17:53:32 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=64434


            Bug ID: 64434
           Summary: Implement TLS 1.3 random record padding to mitigate
                    BREACH
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

The TLS specification (RFC 8446) section 5.4 defines optional Record Padding:
https://tools.ietf.org/html/rfc8446#section-5.4

As a security improvement, I suggest that httpd implement random record
padding.

Random record padding would mitigate the BREACH attack (and other similar)
vulnerabilities.

In OpenSSL, this is done using SSL_CTX_set_record_padding_callback:
https://www.openssl.org/docs/man1.1.1/man3/SSL_set_block_padding.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 64434] New: Implement TLS 1.3 random record padding to mitigate BREACH

Reply via email to