Opened 5 years ago
Last modified 3 years ago
#1977 new enhancement
Implement TLS 1.3 random record padding to mitigate BREACH — at Version 1
| Reported by: | Craig Andrews | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.19.x |
| Keywords: | Cc: | ||
| uname -a: | Linux irrational 5.4.32-gentoo-x86_64 #2 SMP Thu Apr 16 10:45:23 EDT 2020 x86_64 Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz GenuineIntel GNU/Linux | ||
| nginx -V: | nginx version: nginx/1.17.10 | ||
Description (last modified by )
The TLS specification (RFC 8446) section 5.4 defines optional Record Padding: https://tools.ietf.org/html/rfc8446#section-5.4
As a security improvement, I suggest that nginx implement random record padding.
Random record padding would mitigate the BREACH attack (and other similar) vulnerabilities.
In OpenSSL, this is done using SSL_CTX_set_record_padding_callback: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_block_padding.html
Note:
See TracTickets
for help on using tickets.
