Home / exploits Lighttpd using vulnerable cipher suites with SNI
Posted on 05 November 2013
I'd like to request a CVE id for the following bug: Nathan Bishop <me () nbishop name> reported (http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable cipher suites when SNI is used: $HTTP["Host"] == "example.com" { ssl.pemfile = "/etc/ssl/certs/example.com.pem" } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/certs/default.pem" ssl.cipher-list = "HIGH" } This config uses the "DEFAULT" cipher list for "example.com", which includes export ciphers. More details are available at: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt Please note that the patch is not final yet, and can't be found in SVN. We're still discussing: * whether other options should work in SNI context (we could add all ssl.ca-files to all SSL_CTX instances) * whether to set a default ssl.cipher-list, and which string to pick regards, Stefan
