January 20, 2014
There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).
We updated the “standard” ssl cipher string recommendation to
ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see below for the detailed reasons.
Each SSL_CTX also gets loaded with all values for ssl.ca-file from all blocks in the config.
This means that your
ssl.ca-files must not contain cyclic chains and should use unique subject names.
See Debian Bug – #729555 for more details.
- lighttpd SA-2013-01 (CVE-2013-4508)
- lighttpd SA-2013-02 (CVE-2013-4559)
- lighttpd SA-2013-03 (CVE-2013-4560)
OpenSSL cipher string recommendation
The cipher string recommendation is based on ssllabs’ SSL/TLS Deployment Best Practices 1.3 / 17 September 2013:
- BEAST is considered mitigated on client side now and new weaknesses have been found in RC4, so it is strongly advised to disable RC4 ciphers (
HIGHdoesn’t include RC4)
- It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, so you might want to support 3DES for now – just remove the
!3DESparts below; replace it with
+3DES !MD5at the end to prefer AES128 over 3DES and to disable the 3DES variant with MD5).
- The examples below prefer ciphersuites with “Forward Secrecy” and ECDHE over DHE (alias EDH); remove
+kEDH +kRSAif you don’t want that.
- SRP and PSK are not supported anyway, excluding those (
!kSRP !kPSK) just keeps the list smaller (easier to review)
- As almost all keys these days are RSA limiting to
aRSA+HIGHmake the lists even smaller. Use
aRSA+HIGHfor a more generic version.
Not included on purpose:
STRENGTH: the list from
HIGHis already ordered, reordering is not required.
STRENGTHalso prefers 3DES over AES128.
HIGHshouldn’t include those ciphers, no need to remove them.
HIGHmight include a 3DES cipher with MD5 on old systems;
!3DESshould remove MD5 too.
!ADH: doesn’t matter on server side, and clients should always verify the server certificate, which fails when the server doesn’t have one.
You can check the cipher list with:
openssl ciphers -v 'aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK' | column -t (use single quotes as your shell won’t like
! in double quotes).
- lighttpd-1.4.34.tar.gz (GPG signature)
- lighttpd-1.4.34.tar.bz2 (GPG signature)
- lighttpd-1.4.34.tar.xz (GPG signature)
- SHA256 checksums
Changes from 1.4.33
- [mod_auth] explicitly link ssl for SHA1 (fixes #2517)
- [mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes #2515, thx mm)
- [ssl] fix SNI handling; only use key+cert from SNI specific config (fixes #2525, CVE-2013-4508)
- [doc] update ssl.cipher-list recommendation
- [stat-cache] FAM: fix use after free (CVE-2013-4560)
- [stat-cache] fix FAM cleanup/fdevent handling
- [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
- [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
- maintain physical.basedir (the “acting” doc-root as prefix of physical.path) in more places
- [core] decode URL before rewrite, enabling it to work in $HTTP[“url”] conditionals (fixes #2526)
- [auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes #2533)
- [mod_mysql_vhost] fix memory leak on config init (#2530)
- [mod_webdav] fix fd leak found with parfait (fixes #2530, thx kukackajiri)