oss-sec mailing list archives
CVE Request: lighttpd using vulnerable cipher suites with SNI
From: Stefan Bühler <stbuehler () lighttpd net>
Date: Mon, 4 Nov 2013 18:16:17 +0100
Hi, I'd like to request a CVE id for the following bug: Nathan Bishop <me () nbishop name> reported (http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable cipher suites when SNI is used: $HTTP["Host"] == "example.com" { ssl.pemfile = "/etc/ssl/certs/example.com.pem" } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/certs/default.pem" ssl.cipher-list = "HIGH" } This config uses the "DEFAULT" cipher list for "example.com", which includes export ciphers. More details are available at: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt Please note that the patch is not final yet, and can't be found in SVN. We're still discussing: * whether other options should work in SNI context (we could add all ssl.ca-files to all SSL_CTX instances) * whether to set a default ssl.cipher-list, and which string to pick regards, Stefan
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: lighttpd using vulnerable cipher suites with SNI Stefan Bühler (Nov 04)
- Re: CVE Request: lighttpd using vulnerable cipher suites with SNI Kurt Seifried (Nov 04)