logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness
Author
shishir



Joined: 07 Mar 2012
Posts: 7
Location: India, Bangalore

PostPosted: Thu 08 Mar '12 8:30    Post subject: TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness Reply with quote

HI,

Can anybody help me finding the solution of the below
issue?

12690 - TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness
Description
A vulnerability is present in some versions of the TLS and SSL Protocols.

I also understand that there is a problem with TLSV1 and this issue persists with both server and client who will be using TLSV1. I just want to know if there is any way to overcome this issue in Apache?
I am currently on Apache version to 2.2.21 and OpenSSL to 1.0.0e.
I am not sure if OpenSSL is coming with TLS1.1 or later which is integrated with Apache?

Suggestions please.

Thanks,
Shishir
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 08 Mar '12 12:49    Post subject: Reply with quote

I see your post at webmasterworld dot com

The NIST database says

"The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack."

The BEAST attack vector in Windows was closed in a recent Windows update, if I remember correctly it came off cycle (not on Black Tuesday of every month). I do not feel like scrounging for the KB number.

How are we dealing with it here?

see
http://www.apachelounge.com/viewtopic.php?t=4337
http://www.apachelounge.com/viewtopic.php?t=4108

Basically, go with an RC4 cypher, it's 128 bit but it's a stream cypher, not a block cypher (CBC), all the block cyphers are BEASTable.

Google uses RC4, so do I.

SSLCipherSuite -ALL:RC4-SHA:-aNULL
Back to top


Reply to topic   Topic: TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness View previous topic :: View next topic
Post new topic   Forum Index -> Apache