[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2368-1] lighttpd security update



OoO En  cette nuit  nuageuse du mercredi  21 décembre 2011,  vers 01:24,
Nico Golde <nion@debian.org> disait :

>   When using CBC ciphers on an SSL enabled virtual host to communicate with
>   certain client, a so called "BEAST" attack allows man-in-the-middle
>   attackers to obtain plaintext HTTP traffic via a blockwise
>   chosen-boundary attack (BCBA) on an HTTPS session.  Technically this is
>   no lighttpd vulnerability.  However, lighttpd offers a workaround to
>   mitigate this problem by providing a possibility to disable CBC ciphers.

>   This updates includes this option by default. System administrators
>   are advised to read the NEWS file of this update (as this may break older
>   clients).

The NEWS file is a bit misinformed:

  To minimze the risk of this attack it is recommended either to disable all CBC
  ciphers (beware: this will break older clients), or pursue clients to use safe
  ciphers where possible at least. To do so, set

  ssl.cipher-list =  "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
  ssl.honor-cipher-order = "enable"

ECDHE-RSA-AES256-SHA384 and AES256-SHA256  cipher suites are still using
CBC.  However,  they are  only  compatible with  TLS  1.2  which is  not
vulnerable to the attack.

More important,  lighttp uses OpenSSL  which is not compatible  with TLS
1.2. Therefore, the above cipher list is the same as:
 RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM

(you can check the output of "openssl ciphers")

I  also   think  that  "this  will   break  older  clients"   is  a  bit
alarming. Even IE6  supports RC4-SHA. It would be better  to say "it may
break very old clients".
-- 
Vincent Bernat ☯ http://vincent.bernat.im

panic("bad_user_access_length executed (not cool, dude)");
        2.0.38 /usr/src/linux/kernel/panic.c

Attachment: pgprNpg8MvkLz.pgp
Description: PGP signature


Reply to: