Lighttpd

I'm not using Plesk but still waiting for a fix. It has been two days we get DOS...

lighttpd/1.4.29 (ssl) - a light and fast webserver
Build-Date: Jul 11 2011 17:16:42

OpenSSL:

openssl version
OpenSSL 1.0.0e 6 Sep 2011

OK, after trying a lot of cipher :

        ssl.engine = "enable" 
        ssl.use-sslv3 = "enable" 
       ssl.cipher-list = "RC4-SHA !SSLv2" 

Please not I also use :

        ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem" 
        ssl.ec-curve = "secp384r1"

vbeo wrote:

So my question is: how to disable renegotiation (of ssl-key) in lighttpd?

lighttpd doesn't handle this problem( but nginx does), a mitigate way is using openssl-0.9.8l ( this version disabled renegotiation completely ).

code already in repository! waiting for the new release, thank you stbuehler!

My server is being attacked by someone using this tool right now (or at least something similar). The lighttpd process is using 100% CPU og my web pages are unavailable. What can i do to stop this? I have tried blocking the IP-adress of the attacker with my firewall, but he always returns with a new address.

I have tried setting ssl.disable-client-renegotiation = "enable" but this had no effect. I tested it by using the thc-ssl-dos tool. Currently SSL is configured like this:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
ssl.disable-client-renegotiation = "enable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
}

lighttpd/1.4.30 (ssl) - a light and fast webserver
OpenSSL 1.0.0e 6 Sep 2011