[pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
bernat at debian.org
Wed Dec 21 07:40:13 UTC 2011
OoO En cette nuit nuageuse du mercredi 21 décembre 2011, vers 01:24,
Nico Golde <nion at debian.org> disait :
> When using CBC ciphers on an SSL enabled virtual host to communicate with
> certain client, a so called "BEAST" attack allows man-in-the-middle
> attackers to obtain plaintext HTTP traffic via a blockwise
> chosen-boundary attack (BCBA) on an HTTPS session. Technically this is
> no lighttpd vulnerability. However, lighttpd offers a workaround to
> mitigate this problem by providing a possibility to disable CBC ciphers.
> This updates includes this option by default. System administrators
> are advised to read the NEWS file of this update (as this may break older
The NEWS file is a bit misinformed:
To minimze the risk of this attack it is recommended either to disable all CBC
ciphers (beware: this will break older clients), or pursue clients to use safe
ciphers where possible at least. To do so, set
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
ECDHE-RSA-AES256-SHA384 and AES256-SHA256 cipher suites are still using
CBC. However, they are only compatible with TLS 1.2 which is not
vulnerable to the attack.
More important, lighttp uses OpenSSL which is not compatible with TLS
1.2. Therefore, the above cipher list is the same as:
(you can check the output of "openssl ciphers")
I also think that "this will break older clients" is a bit
alarming. Even IE6 supports RC4-SHA. It would be better to say "it may
break very old clients".
Vincent Bernat ☯ http://vincent.bernat.im
panic("bad_user_access_length executed (not cool, dude)");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the pkg-lighttpd-maintainers