Bug #2428
closedlighttpd still accepting ciphers that are explicitly disabled
Description
lighttpd is still accepting ciphers which I have explicitly disabled. This was tested with 1.4.31.
lighttpd config:
$ fgrep ssl. lighttpd.conf
ssl.use-sslv2 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!MD5:!aNULL:!EDH"
$ openssl ciphers 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!MD5:!aNULL:!EDH' | grep -c EDH-RSA-DES-CBC-SHA
0
As you can see, all EDH ciphers are disabled, however lighttpd is still accepting them:
$ openssl s_client -connect 127.0.0.1:443 -cipher DES -tls1 | grep Cipher
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC-SHA
Using the same config in Apache works correctly:
$ grep SSL apache2.conf
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!MD5:!aNULL:!EDH
$ openssl s_client -connect 127.0.0.1:443 -cipher DES -tls1
139946031826592:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1248:SSL alert number 40
139946031826592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
Updated by stbuehler over 12 years ago
- Status changed from New to Invalid
- Priority changed from High to Normal
- Target version deleted (
1.4.x)
- Cannot reproduce your issue. Make sure you have the options in the correct block, connected to the correct port and actually restarted lighttpd after changing the config.
- The cipher string is just passed to openssl anyway, so i don't think we could do anything about it.
- Perhaps you linked different openssl libs? no idea why that would break anything though...
Updated by Anonymous over 12 years ago
It was definitely restarted (stop, check ps, start). And I set those options globally, they're at the top of the config file and nothing else changes them. I've just rebuilt it from source on the system it's running on, still accepting ciphers I've told it to disable.
Updated by stbuehler over 12 years ago
ssl options need to be in the same block as ssl is enabled, i.e. the $SERVER["socket"] block (with SNI options can also be placed in the host conditionals, but the default options are still taken from the $SERVER["socket"] block)
Also available in: Atom