From df0c5663dd944a3dd06936105d0696a704c20e4e Mon Sep 17 00:00:00 2001
From: Kenneth Lakin <kennethlakin@gmail.com>
Date: Sat, 30 Apr 2016 02:31:51 -0700
Subject: ssl: Add BEAST mitigation selection option

Some legacy TLS 1.0 software does not tolerate the 1/n-1 content
split BEAST mitigation technique. This commit adds a beast_mitigation
SSL option (defaulting to one_n_minus_one) to select or disable the
BEAST mitigation technique.

Valid option values are (one_n_minus_one | zero_n | disabled).
---
 lib/ssl/src/ssl.erl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/src/ssl.erl')

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 51732b4a59..5dc2e583a5 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -725,6 +725,7 @@ handle_options(Opts0, Role) ->
 						       server, Role),
 		    protocol = proplists:get_value(protocol, Opts, tls),
 		    padding_check =  proplists:get_value(padding_check, Opts, true),
+		    beast_mitigation = handle_option(beast_mitigation, Opts, one_n_minus_one),
 		    fallback = handle_option(fallback, Opts,
 					     proplists:get_value(fallback, Opts,    
 								 default_option_role(client, 
@@ -746,7 +747,7 @@ handle_options(Opts0, Role) ->
 		  alpn_preferred_protocols, next_protocols_advertised,
 		  client_preferred_next_protocols, log_alert,
 		  server_name_indication, honor_cipher_order, padding_check, crl_check, crl_cache,
-		  fallback, signature_algs],
+		  fallback, signature_algs, beast_mitigation],
 
     SockOpts = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
@@ -986,6 +987,10 @@ validate_option(crl_check, Value) when (Value == best_effort) or (Value == peer)
     Value;
 validate_option(crl_cache, {Cb, {_Handle, Options}} = Value) when is_atom(Cb) and is_list(Options) ->
     Value;
+validate_option(beast_mitigation, Value) when Value == one_n_minus_one orelse
+                                              Value == zero_n orelse
+                                              Value == disabled ->
+  Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
-- 
cgit v1.2.3