aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-04-15 02:09:45 -0400
committerJack Lloyd <[email protected]>2016-04-15 02:09:45 -0400
commit6315841fca399cf9bdc62b324fdfe0e23b9afbe9 (patch)
tree30aada06ff2169efe442c39ccd48e644dcfb2364 /doc
parent0b06b4f61b497c7ad9869441f12ee287b65cde36 (diff)
Don't reject TLS packets with zero plaintext bytes
OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
Diffstat (limited to 'doc')
-rw-r--r--doc/news.rst5
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 7a5b3b115..b1a04302a 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -4,6 +4,11 @@ Release Notes
Version 1.11.30, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* In 1.11.23 a bug was introduced such that CBC-encrypted TLS packets
+ containing no plaintext bytes at all were incorrectly rejected with
+ a MAC failure. Records like this are used by OpenSSL in TLS 1.0
+ connections in order to randomize the IV.
+
* Add IETF versions of the ChaCha20Poly1305 TLS ciphersuites from
draft-ietf-tls-chacha20-poly1305-04. The previously implemented
(non-standard) ChaCha20Poly1305 ciphersuites from