SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk)
Added by vbeo about 13 years ago
Hello, i´m using the modified lighttpd, which serves Plesk ControlPanel under Plesk 10 (Ubuntu 10 LTS). Configfile can be found unter /etc/sw-cp-server/applications.d/plesk.conf.
It is possible to attack the lighttpd-Server (CP-Port is 8443) with this tool: http://www.thc.org/thc-ssl-dos/
So my question is: how to disable renegotiation (of ssl-key) in lighttpd?
Thx. Chris
Replies (5)
RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by Boris17 about 13 years ago
I'm not using Plesk but still waiting for a fix. It has been two days we get DOS...
lighttpd/1.4.29 (ssl) - a light and fast webserver Build-Date: Jul 11 2011 17:16:42
On Debian Squeeze (Lighttpd installed using unstable package).
OpenSSL:
openssl version OpenSSL 1.0.0e 6 Sep 2011
RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by Boris17 about 13 years ago
OK, after trying a lot of cipher :
ssl.engine = "enable" ssl.use-sslv3 = "enable" ssl.cipher-list = "RC4-SHA !SSLv2"
Seems to fix the problem (SSL Labs told me I'm not vulnerable anymore).
Please not I also use :
ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem" ssl.ec-curve = "secp384r1"
RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by druggo about 13 years ago
vbeo wrote:
So my question is: how to disable renegotiation (of ssl-key) in lighttpd?
lighttpd doesn't handle this problem( but nginx does), a mitigate way is using openssl-0.9.8l ( this version disabled renegotiation completely ).
RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by druggo about 13 years ago
code already in repository! waiting for the new release, thank you stbuehler!
RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by arnefm over 12 years ago
My server is being attacked by someone using this tool right now (or at least something similar). The lighttpd process is using 100% CPU og my web pages are unavailable. What can i do to stop this? I have tried blocking the IP-adress of the attacker with my firewall, but he always returns with a new address.
I have tried setting ssl.disable-client-renegotiation = "enable" but this had no effect. I tested it by using the thc-ssl-dos tool. Currently SSL is configured like this:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
ssl.disable-client-renegotiation = "enable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
}
lighttpd/1.4.30 (ssl) - a light and fast webserver
OpenSSL 1.0.0e 6 Sep 2011