[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Apache and BEAST



Hi.

I wondered about the status of the BEAST attack in Debian, especially:

1) Can I use any cipher suite and still be secure (e.g. use AES and
disable RC4; the later which is often claimed to secure things... while
there are however sources on the web claiming it would be even more
vulnerable than AES)?

2) I know most browsers mitigate it already on their side,.. but I guess
just by not selecting CBC ciphers if possible (???)... what however if I
only offer such?


So question is,.. how can I force it on the server side, to be secure
against BEAST.


I also found these:
http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely
http://blogs.cisco.com/security/beat-the-beast-with-tls/

which claim openssl fixed the problem already on a protocol level (even
for TLS 1.0).


So can we verify whether in Debian's openssl that
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is set?


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Reply to: