Project

General

Profile

SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk)

Added by vbeo over 10 years ago

Hello, i´m using the modified lighttpd, which serves Plesk ControlPanel under Plesk 10 (Ubuntu 10 LTS). Configfile can be found unter /etc/sw-cp-server/applications.d/plesk.conf.

It is possible to attack the lighttpd-Server (CP-Port is 8443) with this tool: http://www.thc.org/thc-ssl-dos/

So my question is: how to disable renegotiation (of ssl-key) in lighttpd?

Thx. Chris


Replies (5)

RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by Boris17 over 10 years ago

I'm not using Plesk but still waiting for a fix. It has been two days we get DOS...

lighttpd/1.4.29 (ssl) - a light and fast webserver
Build-Date: Jul 11 2011 17:16:42

On Debian Squeeze (Lighttpd installed using unstable package).

OpenSSL:

openssl version
OpenSSL 1.0.0e 6 Sep 2011

RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by Boris17 over 10 years ago

OK, after trying a lot of cipher :

        ssl.engine = "enable" 
        ssl.use-sslv3 = "enable" 
       ssl.cipher-list = "RC4-SHA !SSLv2" 

Seems to fix the problem (SSL Labs told me I'm not vulnerable anymore).

Please not I also use :

        ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem" 
        ssl.ec-curve = "secp384r1"

RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by druggo over 10 years ago

vbeo wrote:

So my question is: how to disable renegotiation (of ssl-key) in lighttpd?

lighttpd doesn't handle this problem( but nginx does), a mitigate way is using openssl-0.9.8l ( this version disabled renegotiation completely ).

RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by druggo over 10 years ago

code already in repository! waiting for the new release, thank you stbuehler!

RE: SSL-DoS (key renegotiation) Attack on lighttpd (e.g. on Plesk) - Added by arnefm about 10 years ago

My server is being attacked by someone using this tool right now (or at least something similar). The lighttpd process is using 100% CPU og my web pages are unavailable. What can i do to stop this? I have tried blocking the IP-adress of the attacker with my firewall, but he always returns with a new address.

I have tried setting ssl.disable-client-renegotiation = "enable" but this had no effect. I tested it by using the thc-ssl-dos tool. Currently SSL is configured like this:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
ssl.disable-client-renegotiation = "enable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
}

lighttpd/1.4.30 (ssl) - a light and fast webserver
OpenSSL 1.0.0e 6 Sep 2011

    (1-5/5)