cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Security question about SSL Beast

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 23 Apr 2012 14:01:16 +0200

On Thursday 19 April 2012 19:26:44 Barry Ruffner wrote:
> When using the --ssl-allow-beast in versions 7.24.0+ everything works as
> expected. We have applied the relevant patches to IIS which address the SSL
> Beast vulnerability to the servers as part of the service pack. It appears
> they are expecting a packet of more than 0 bytes (1 byte) and do not handle
> the way curl/openssl are handling this exploit.

You can try to compile libcurl against NSS instead of OpenSSL. NSS uses
another approach to prevent this kind of attack and does not send empty
packets. There is also a patch implementing the same approach for OpenSSL:

http://rt.openssl.org/Ticket/Display.html?id=2635

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-23

This message: [ Message body ]
Next message: Chenevard Alfredo: "AW: Problem with special character # on target file"
Previous message: Yuvi yuvi: "Re: Program goes into infinite state."
In reply to: Barry Ruffner: "Security question about SSL Beast"
Next in thread: Yang Tse: "Re: Security question about SSL Beast"
Reply: Yang Tse: "Re: Security question about SSL Beast"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]