Bug#654764: marked as done (Mitigate B.E.A.S.T attack)

To: Stefan Fritsch <sf@sfritsch.de>
Subject: Bug#654764: marked as done (Mitigate B.E.A.S.T attack)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 29 Sep 2014 21:09:21 +0000
Message-id: <[🔎] handler.654764.D654764.141202470620403.ackdone@bugs.debian.org>
References: <1841021.ltyXYqic2B@k> <CAFX5sbzP39539OX_dx1Oc__bSL3O5S7sNup5kAJ9L03Ms6Pk5w@mail.gmail.com>

Your message dated Mon, 29 Sep 2014 23:04:55 +0200
with message-id <1841021.ltyXYqic2B@k>
and subject line Re: Bug#654764: Mitigate B.E.A.S.T attack
has caused the Debian Bug report #654764,
regarding Mitigate B.E.A.S.T attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
654764: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654764
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Mitigate B.E.A.S.T attack

From: Mathieu Parent <math.parent@gmail.com>

Date: Thu, 5 Jan 2012 16:43:50 +0100

Message-id: <CAFX5sbzP39539OX_dx1Oc__bSL3O5S7sNup5kAJ9L03Ms6Pk5w@mail.gmail.com>
Package: apache2
Version: 2.2.21-5

Hi,

The BEAST vulnerability [1] "can be prevented by removing all CBC
ciphers from your list of allowed ciphers—leaving only the RC4
cipher".

But as this can break some old browsers that don't support RC4 (I
couldn't name one, sorry), I propose instead to pop RC4 to the top of
the list:

-SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
+SSLCipherSuite RC4:HIGH:MEDIUM:!ADH:!MD5:!SSLv2

(this almost-patch also disables SSLv2 ciphers)


[1]: http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0

-- 
Mathieu Parent
--- End Message ---

--- Begin Message ---

To: 654764-done@bugs.debian.org

Subject: Re: Bug#654764: Mitigate B.E.A.S.T attack

From: Stefan Fritsch <sf@sfritsch.de>

Date: Mon, 29 Sep 2014 23:04:55 +0200

Message-id: <1841021.ltyXYqic2B@k>

In-reply-to: <CAFX5sbzP39539OX_dx1Oc__bSL3O5S7sNup5kAJ9L03Ms6Pk5w@mail.gmail.com>

References: <CAFX5sbzP39539OX_dx1Oc__bSL3O5S7sNup5kAJ9L03Ms6Pk5w@mail.gmail.com>
On Thursday 05 January 2012 16:43:50, Mathieu Parent wrote:
> -SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
> +SSLCipherSuite RC4:HIGH:MEDIUM:!ADH:!MD5:!SSLv2

RC4 is now considered insecure, the BEAST attack is not a problem 
anymore. I don't think we need to keep this bug open. Closing it.
--- End Message ---

Reply to:

Prev by Date: Bug#288615: marked as done (apache2: Issue with language negotiation exceptions)
Previous by thread: Bug#288615: marked as done (apache2: Issue with language negotiation exceptions)
Index(es):
- Date
- Thread