[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#744094: marked as done (lighttpd: Default ssl.ciphers disables AES-GCM)

Your message dated Sat, 8 Feb 2020 00:46:42 -0500
with message-id <20200208054642.GE17494@xps13>
and subject line 744094-done
has caused the Debian Bug report #744094,
regarding lighttpd: Default ssl.ciphers disables AES-GCM
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
744094: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744094
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: lighttpd
Version: 1.4.35-2
Severity: minor

In version 1.4.30-1, the following line was included in default
conf-available/10-ssl.conf as mitigation for BEST attack:

  ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

NEWS file refers to [1] which back then [2] suggested using the above
cipherlist.  But BEST affected only CBC suites in TLS 1.0 and there
was never any reason to disable AES-GCM.  Referenced blog post also
gave no justification for it.  GCM suites have been, and still are,
considered the best choice available in OpenSSL so it's definitely a
bad idea to disable them by default.  Please check the updated post [1].


[1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
[2] https://web.archive.org/web/20111216165019/http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html

--- End Message ---
--- Begin Message --- 
Package: lighttpd
Version: lighttpd/1.4.53-3

fixed upstream in lighttpd 1.4.53-3

--- End Message ---
Reply to: