Posted by Urabe Shyouhei on 16 Feb 2012
In OpenSSL, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option for SSL
connection is used to prevent TLS-CBC-IV vulnerability described at
[1]. It's known issue of TLSv1/SSLv3 but it attracts lots of
attention these days as BEAST attack [2] (CVE-2011-3389). Ruby
related topics are at our issue tracker [3].
Until now Ruby OpenSSL extension uses SSL_OP_ALL option, the combined
option of OpenSSL for various bug workarounds that should be rather
harmless, for all SSL connection by default. And it only allows users to
add other options so you could not remove the feature that is included
in SSL_OP_ALL option, like SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. It
was intentional as it didn't expose constants like
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but we should allow to unset the
option so that Ruby OpenSSL extension inserts empty fragments at the
beginning of SSL connections (named "0/n splitting") to prevent the
TLS BEAST attack.
This release defines additional constants and allows users to unset
options in SSL_OP_ALL. Default option is still SSL_OP_ALL but you
can setup the SSLSocket with doing "0/n splitting" for BEAST
prevention like this.
ctx = SSLContext.new
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
SSLSocket.new(socket, ctx)
Credit to Apple for reporting this issue.
NOTE: Some SSL endpoints are known to have a bug that cannot handle "0/n splitting" correctly so we (and OpenSSL) do not set this as a default option. Please test SSL connectivity before enabling this in production environment. If the other endpoint you're connecting cannot handle "0/n splitting", you must use another workaround for preventing the TLS BEAST attack, like enforcing ciphersuite to use RC4. For details, please find discussions and resources around CVE-2011-3389.