Project

General

Profile

Feature #2511

pass protocol and cipher details to fcgi env

Added by oschonrock about 4 years ago. Updated 12 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2013-09-06
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

Motivation
-----------
We currently live in a world where there are no good options for protocol/ciphers (ie BEAST/RC4 problem). And it has been revealed (thanks Ed!) that the NSA can probably easily decrypt RC4. You have to allow insecure options to support the huge browser body out that does not yet support decent protocol cipher combinations.

Since Lighty supports TLS1.2 etc by compiling against latest openssl. One way is to push the end user towards updating their browsers (the good ones are nearly there on TLS1.2 etc). In order to do that the server side application really needs access to the what protocol version and cipher / key length the user-agent has used to connect..and then display appriproiate motivational end-user messaging.

Feature
-------
This could be done by pushing this protocol/cipher detail into setenv to picked up, eg by php $_SERVER. Similar to what apache2/mod_php does:

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#envvars

Is this info available at the right stage of request to do that, if so the required change might be quite trivial...?


Related issues

Related to Feature #2652: [patch] Add additional SSL env variables for strict client certificate authentication and authorizationDuplicate2015-07-04

Associated revisions

Revision b8b38f30 (diff)
Added by gstrauss 12 months ago

[TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)

initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)

Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables. This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.

x-ref:
"pass protocol and cipher details to fcgi env"
https://redmine.lighttpd.net/issues/2511

History

#1 Updated by oschonrock about 4 years ago

this would achieve a similar goal as this...ie push user-agents towards better protocol cipher combinations:

http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast-with-gnutls/

but in a different way...and for lighty 1.4 and 2.0

#2 Updated by stbuehler about 4 years ago

  • Priority changed from High to Normal

#3 Updated by gstrauss over 1 year ago

  • Category changed from core to TLS

#4 Updated by gstrauss 12 months ago

  • Related to Feature #2652: [patch] Add additional SSL env variables for strict client certificate authentication and authorization added

#5 Updated by gstrauss 12 months ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.42

#6 Updated by gstrauss 12 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom