From df0c5663dd944a3dd06936105d0696a704c20e4e Mon Sep 17 00:00:00 2001
From: Kenneth Lakin
Date: Sat, 30 Apr 2016 02:31:51 -0700
Subject: ssl: Add BEAST mitigation selection option
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content
split BEAST mitigation technique. This commit adds a beast_mitigation
SSL option (defaulting to one_n_minus_one) to select or disable the
BEAST mitigation technique.
Valid option values are (one_n_minus_one | zero_n | disabled).
---
lib/ssl/doc/src/ssl.xml | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
(limited to 'lib/ssl/doc')
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 154664d855..33ece8f769 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -417,10 +417,24 @@ fun(srp, Username :: string(), UserState :: term()) ->
If set to false, it disables the block cipher padding check
to be able to interoperate with legacy software.
-
-
Using {padding_check, boolean()} makes TLS
vulnerable to the Poodle attack.
+
+ {beast_mitigation, one_n_minus_one | zero_n | disabled}
+ Affects SSL-3.0 and TLS-1.0 connections only. Used to change the BEAST
+ mitigation strategy to interoperate with legacy software.
+ Defaults to one_n_minus_one
.
+
+ one_n_minus_one - Perform 1/n-1 BEAST mitigation.
+
+ zero_n - Perform 0/n BEAST mitigation.
+
+ disabled - Disable BEAST mitigation.
+
+ Using {beast_mitigation, disabled} makes SSL or TLS
+ vulnerable to the BEAST attack.
+
+