Ubuntu
lighttpd package

Workaround for CVE-2014-3566 (POODLE) required

Bug #1381910 reported by Tore Anderson
288
This bug affects 7 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Precise by Mathew Hodson

Bug Description

In order to close the recently disclosed security vulnerability in SSLv3 (CVE-2014-3566 a.k.a. POODLE), one needs to disable SSLv3 support.

According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL, lighttpd gained support for doing so (config option "ssl.use-sslv3") in version 1.4.29. Because Ubuntu 12.04.5 LTS ships lighttpd 1.4.28, disabling SSLv3 seems impossible. Attempting to use the "ssl.use-sslv3" setting results in the following error message being logged:

(server.c.961) WARNING: unknown config-key: ssl.use-sslv3 (ignored)

I suppose that the logical way to deal with this is to either backport the "ssl.use-sslv3" functionality to the 1.4.28 version shipped by Ubuntu 12.04.5 LTS, or to upgrade the shipped package to 1.4.29 or newer.

Tore

Tags: poodle precise

CVE References

Tore Anderson (toreanderson)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lighttpd (Ubuntu):
status: New → Confirmed
Revision history for this message
LeGreffier (ylamouroux) wrote :

Hello ; we'll need the same kind of backporting to 10.04. This is a very unusual problem as it's the protocol and not the program that's flawed. I don't know if it's planned too, and if it need a separate ticket. Pleaase advice.
Thanks :)

Revision history for this message
Mat Johns (matjohns) wrote :

Not sure if helps against the Ubuntu patchset; but as a Debian Squeeze user I've backported the required code from 1.4.29 to get this config working for me :)

https://github.com/matjohns/squeeze-lighttpd-poodle

~Mat

Mathew Hodson (mhodson)
Changed in lighttpd (Ubuntu):
importance: Undecided → Medium
tags: added: precise
tags: added: poodle
Revision history for this message
gstrauss (gstrauss) wrote :

Solution: adjust ssl.cipher-list in lighttpd.conf
See also https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/645002

Recommended reading: https://cipherli.st/

Revision history for this message
BlueT - Matthew Lien - 練喆明 (bluet) wrote :

Bug still exist.
Need a backport.

@gstrauss Adding :!SSLv2:!SSLv3 with the cipher-list
ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SSLv2:!SSLv3"

Will cause a "No Cipher can be used" error.

Revision history for this message
gstrauss (gstrauss) wrote :

Fixed in lighttpd 1.4.29 release Jun 2011, over 9 years ago.
https://redmine.lighttpd.net/issues/2246

Changed in lighttpd (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.