Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Nov 2013 18:16:17 +0100
From: Stefan B├╝hler <stbuehler@...httpd.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: lighttpd using vulnerable cipher suites with SNI

Hi,

I'd like to request a CVE id for the following bug:

Nathan Bishop <me@...shop.name> reported
(http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable
cipher suites when SNI is used:

    $HTTP["Host"] == "example.com" {
        ssl.pemfile = "/etc/ssl/certs/example.com.pem"
    }
    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/ssl/certs/default.pem"
        ssl.cipher-list = "HIGH"
    }

This config uses the "DEFAULT" cipher list for "example.com", which
includes export ciphers.

More details are available at:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt

Please note that the patch is not final yet, and can't be found in SVN.

We're still discussing:
* whether other options should work in SNI context (we could
  add all ssl.ca-files to all SSL_CTX instances)
* whether to set a default ssl.cipher-list, and which string to pick

regards,
Stefan

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.