curl-users
Security question about SSL Beast
Date: Thu, 19 Apr 2012 10:26:44 -0700
Background
We have been investigating some issues with users connecting to our servers. We are running IIS 7.0 on Windows 2008 R2 SP1. The issue appeared when our users upgrade their OpenSSL to the most recent version where the SSL Beast vulnerability fixes were introduced. The symptom we see is when the 0 byte packet is sent to IIS there is a period where IIS does not respond correctly. This is repeated about 10 times until IIS eventually drops the connection.
When using the --ssl-allow-beast in versions 7.24.0+ everything works as expected. We have applied the relevant patches to IIS which address the SSL Beast vulnerability to the servers as part of the service pack. It appears they are expecting a packet of more than 0 bytes (1 byte) and do not handle the way curl/openssl are handling this exploit.
Question
What are the risks using curl with --ssl-allow-beast in a server environment uploading files to remote servers? From what I have seen this applies to browsers accessing servers using a man-in-the-middle attack when on the same network to get cookies. How does this apply to a server uploading to another server and what information can be taken from this type of interaction?
I realize passing the --ssl-allow-beast parameter is the same as using the older version of OpenSSL but I want to understand what the overall risk is as I am not a security expert.
Best,
Barry
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-19