oss-sec mailing list archives

CVE Request: lighttpd using vulnerable cipher suites with SNI

From: Stefan Bühler <stbuehler () lighttpd net>
Date: Mon, 4 Nov 2013 18:16:17 +0100

Hi,

I'd like to request a CVE id for the following bug:

Nathan Bishop <me () nbishop name> reported
(http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable
cipher suites when SNI is used:

    $HTTP["Host"] == "example.com" {
        ssl.pemfile = "/etc/ssl/certs/example.com.pem"
    }
    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/ssl/certs/default.pem"
        ssl.cipher-list = "HIGH"
    }

This config uses the "DEFAULT" cipher list for "example.com", which
includes export ciphers.

More details are available at:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt

Please note that the patch is not final yet, and can't be found in SVN.

We're still discussing:
* whether other options should work in SNI context (we could
  add all ssl.ca-files to all SSL_CTX instances)
* whether to set a default ssl.cipher-list, and which string to pick

regards,
Stefan

Attachment: signature.asc
Description:

Current thread:

CVE Request: lighttpd using vulnerable cipher suites with SNI Stefan Bühler (Nov 04)
- Re: CVE Request: lighttpd using vulnerable cipher suites with SNI Kurt Seifried (Nov 04)