Workaround for CVE-2014-3566 (POODLE) required

Bug #1381910 reported by Tore Anderson on 2014-10-16
This bug affects 7 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Nominated for Precise by Mathew Hodson

Bug Description

In order to close the recently disclosed security vulnerability in SSLv3 (CVE-2014-3566 a.k.a. POODLE), one needs to disable SSLv3 support.

According to, lighttpd gained support for doing so (config option "ssl.use-sslv3") in version 1.4.29. Because Ubuntu 12.04.5 LTS ships lighttpd 1.4.28, disabling SSLv3 seems impossible. Attempting to use the "ssl.use-sslv3" setting results in the following error message being logged:

(server.c.961) WARNING: unknown config-key: ssl.use-sslv3 (ignored)

I suppose that the logical way to deal with this is to either backport the "ssl.use-sslv3" functionality to the 1.4.28 version shipped by Ubuntu 12.04.5 LTS, or to upgrade the shipped package to 1.4.29 or newer.


CVE References

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lighttpd (Ubuntu):
status: New → Confirmed
LeGreffier (ylamouroux) wrote :

Hello ; we'll need the same kind of backporting to 10.04. This is a very unusual problem as it's the protocol and not the program that's flawed. I don't know if it's planned too, and if it need a separate ticket. Pleaase advice.
Thanks :)

Mat Johns (matjohns) wrote :

Not sure if helps against the Ubuntu patchset; but as a Debian Squeeze user I've backported the required code from 1.4.29 to get this config working for me :)


Mathew Hodson (mhodson) on 2015-11-30
Changed in lighttpd (Ubuntu):
importance: Undecided → Medium
tags: added: precise
tags: added: poodle
gstrauss (gstrauss) wrote :

Solution: adjust ssl.cipher-list in lighttpd.conf
See also

Recommended reading:

Bug still exist.
Need a backport.

@gstrauss Adding :!SSLv2:!SSLv3 with the cipher-list

Will cause a "No Cipher can be used" error.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers