From 4877ca714b473501c647eb24608bb6d28f80027a Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Wed, 22 Nov 2017 15:55:47 +0100 Subject: Update release notes --- lib/ssl/doc/src/notes.xml | 54 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'lib/ssl/doc/src') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index d13ad09470..d37a180f54 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,60 @@

This document describes the changes made to the SSL application.

+
SSL 8.1.3.1 + +
Fixed Bugs and Malfunctions + + +

An erlang TLS server configured with cipher suites + using rsa key exchange, may be vulnerable to an Adaptive + Chosen Ciphertext attack (AKA Bleichenbacher attack) + against RSA, which when exploited, may result in + plaintext recovery of encrypted messages and/or a + Man-in-the-middle (MiTM) attack, despite the attacker not + having gained access to the server’s private key + itself. CVE-2017-1000385 +

Exploiting this vulnerability to perform + plaintext recovery of encrypted messages will, in most + practical cases, allow an attacker to read the plaintext + only after the session has completed. Only TLS sessions + established using RSA key exchange are vulnerable to this + attack.

Exploiting this vulnerability to conduct + a MiTM attack requires the attacker to complete the + initial attack, which may require thousands of server + requests, during the handshake phase of the targeted + session within the window of the configured handshake + timeout. This attack may be conducted against any TLS + session using RSA signatures, but only if cipher suites + using RSA key exchange are also enabled on the server. + The limited window of opportunity, limitations in + bandwidth, and latency make this attack significantly + more difficult to execute.

RSA key exchange is + enabled by default although least prioritized if server + order is honored. For such a cipher suite to be chosen it + must also be supported by the client and probably the + only shared cipher suite.

Captured TLS sessions + encrypted with ephemeral cipher suites (DHE or ECDHE) are + not at risk for subsequent decryption due to this + vulnerability.

As a workaround if default cipher + suite configuration was used you can configure the server + to not use vulnerable suites with the ciphers option like + this:

{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,Suite) =/= rsa]}

+ that is your code will look somethingh like this:

+ ssl:listen(Port, [{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). +

Thanks to Hanno Böck, Juraj Somorovsky and + Craig Young for reporting this vulnerability.

+

+ Own Id: OTP-14748

+
+
+
+ +
+
SSL 8.1.3
Fixed Bugs and Malfunctions -- cgit v1.2.3