aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/ssl.xml
diff options
context:
space:
mode:
authorKenneth Lakin <[email protected]>2016-04-30 02:31:51 -0700
committerKenneth Lakin <[email protected]>2016-05-26 02:58:55 -0700
commitdf0c5663dd944a3dd06936105d0696a704c20e4e (patch)
tree0327c1f812afe0a9786acb3bf303ab665135825c /lib/ssl/doc/src/ssl.xml
parent42a0229c44875f927bc1fda138d24131874a1c3c (diff)
downloadotp-df0c5663dd944a3dd06936105d0696a704c20e4e.tar.gz
otp-df0c5663dd944a3dd06936105d0696a704c20e4e.tar.bz2
otp-df0c5663dd944a3dd06936105d0696a704c20e4e.zip
ssl: Add BEAST mitigation selection option
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content split BEAST mitigation technique. This commit adds a beast_mitigation SSL option (defaulting to one_n_minus_one) to select or disable the BEAST mitigation technique. Valid option values are (one_n_minus_one | zero_n | disabled).
Diffstat (limited to 'lib/ssl/doc/src/ssl.xml')
-rw-r--r--lib/ssl/doc/src/ssl.xml18
1 files changed, 16 insertions, 2 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 154664d855..33ece8f769 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -417,10 +417,24 @@ fun(srp, Username :: string(), UserState :: term()) ->
If set to <c>false</c>, it disables the block cipher padding check
to be able to interoperate with legacy software.</p></item>
- </taglist>
-
<warning><p>Using <c>{padding_check, boolean()}</c> makes TLS
vulnerable to the Poodle attack.</p></warning>
+
+ <tag><c>{beast_mitigation, one_n_minus_one | zero_n | disabled}</c></tag>
+ <item><p>Affects SSL-3.0 and TLS-1.0 connections only. Used to change the BEAST
+ mitigation strategy to interoperate with legacy software.
+ Defaults to <c>one_n_minus_one</c></p>.
+
+ <p><c>one_n_minus_one</c> - Perform 1/n-1 BEAST mitigation.</p>
+
+ <p><c>zero_n</c> - Perform 0/n BEAST mitigation.</p>
+
+ <p><c>disabled</c> - Disable BEAST mitigation.</p></item>
+
+ <warning><p>Using <c>{beast_mitigation, disabled}</c> makes SSL or TLS
+ vulnerable to the BEAST attack.</p></warning>
+ </taglist>
+
</section>
<section>