January 20, 2014
There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).
We updated the “standard” ssl cipher string recommendation to
ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see below for the detailed reasons.
Each SSL_CTX also gets loaded with all values for ssl.ca-file from all blocks in the config.
This means that your
ssl.ca-files must not contain cyclic chains and should use unique subject names.
See Debian Bug – #729555 for more details.
- lighttpd SA-2013-01 (CVE-2013-4508)
- lighttpd SA-2013-02 (CVE-2013-4559)
- lighttpd SA-2013-03 (CVE-2013-4560)
OpenSSL cipher string recommendation
The cipher string recommendation is based on ssllabs’ SSL/TLS Deployment Best Practices 1.3 / 17 September 2013:
- BEAST is considered mitigated on client side now and new weaknesses have been found in RC4, so it is strongly advised to disable RC4 ciphers (
HIGHdoesn’t include RC4)
- It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, so you might want to support 3DES for now – just remove the
!3DESparts below; replace it with
+3DES !MD5at the end to prefer AES128 over 3DES and to disable the 3DES variant with MD5).
- It prefers ciphersuites with “Forward Secrecy” and ECDHE over DHE (alias EDH); remove
+kEDH +kRSAif you don’t want that.
- SRP and PSK are not supported anyway, excluding those (
!kSRP !kPSK) just keeps the list smaller (easier to review)
- As almost all keys these days are RSA limiting to
aRSA+HIGHmake the lists even smaller. Use
aRSA+HIGHfor a more generic version.
- If you want to enforce “Forward Secrecy” (breaks some clients) replace
Not included on purpose:
STRENGTH: the list from
HIGHis already ordered, reordering is not required.
STRENGTHalso prefers 3DES over AES128.
HIGHshouldn’t include those ciphers in recent openssl versions, no need to remove them. If you are using an old version, appending
!RC4 !NULLshould fix it (and does no harm in recent versions). Consider upgrading too – you probably are missing TLS1.2.
HIGHmight include a 3DES cipher with MD5 on old systems;
!3DESshould remove MD5 too.
!ADH: doesn’t matter on server side, and clients should always verify the server certificate, which fails when the server doesn’t have one.
You can check the cipher list with:
openssl ciphers -v 'aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK' | column -t (use single quotes as your shell won’t like
! in double quotes).
The default DH-parameters included in lighttpd are only 1024-bit; some implementations out there can’t handle more, and you can’t negotiate them. To fix this you have two options:
- Remove the DH ciphers: replace
- Use 4096-bit paramters and break clients with which you would negotiate DH but only support 1024-bit paramters. Put the following (in gnutls included) parameters in a file and set them with the
-----BEGIN DH PARAMETERS----- MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQU= -----END DH PARAMETERS-----
- lighttpd-1.4.34.tar.gz (GPG signature)
- lighttpd-1.4.34.tar.bz2 (GPG signature)
- lighttpd-1.4.34.tar.xz (GPG signature)
- SHA256 checksums