Bug #2476
closedVunerable to CRIME SSL attack
Description
I've tested my instance of lighttpd 1.4.32 with this tool: https://www.ssllabs.com/ssltest/
The result of the test was that it's vunerable to CRIME attack against SSL. I've done extensive search in the internet, including lighttpd forums and issues, and haven't found a mention of CRIME attack.
Can this be fixed as a configuration change or does code need to be chagned?
Updated by GDR about 12 years ago
lighttpd.net seems to be affected too: https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.lighttpd.net%2F
Updated by stbuehler about 12 years ago
- Status changed from New to Invalid
You need to compile against a recent version of openssl (>= 1.0.0 probably); our source tries to use SSL_OP_NO_COMPRESSION to disable compression.
Our lighttpd2 build are from build.opensuse.org, which only supports debian stable (testing moving to fast usually).
We did not apply the ugly workaround by calling sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); (but the debian maintainers just applied this in debian stable - which is fine, because they won't have to maintain that patch for long; the next debian release has a recent enough openssl version)
Updated by GDR about 12 years ago
OK, thank you. Hopefuly this issue will be visible in search engines so others will know.
Also available in: Atom