From df0c5663dd944a3dd06936105d0696a704c20e4e Mon Sep 17 00:00:00 2001 From: Kenneth Lakin Date: Sat, 30 Apr 2016 02:31:51 -0700 Subject: ssl: Add BEAST mitigation selection option Some legacy TLS 1.0 software does not tolerate the 1/n-1 content split BEAST mitigation technique. This commit adds a beast_mitigation SSL option (defaulting to one_n_minus_one) to select or disable the BEAST mitigation technique. Valid option values are (one_n_minus_one | zero_n | disabled). --- lib/ssl/doc/src/ssl.xml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 154664d855..33ece8f769 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -417,10 +417,24 @@ fun(srp, Username :: string(), UserState :: term()) -> If set to false, it disables the block cipher padding check to be able to interoperate with legacy software.

- -

Using {padding_check, boolean()} makes TLS vulnerable to the Poodle attack.

+ + {beast_mitigation, one_n_minus_one | zero_n | disabled} +

Affects SSL-3.0 and TLS-1.0 connections only. Used to change the BEAST + mitigation strategy to interoperate with legacy software. + Defaults to one_n_minus_one

. + +

one_n_minus_one - Perform 1/n-1 BEAST mitigation.

+ +

zero_n - Perform 0/n BEAST mitigation.

+ +

disabled - Disable BEAST mitigation.

+ +

Using {beast_mitigation, disabled} makes SSL or TLS + vulnerable to the BEAST attack.

+ +
-- cgit v1.2.3