I'd like to request a CVE id for the following bug:
Nathan Bishop <me () nbishop name> reported
(http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable
cipher suites when SNI is used:
$HTTP["Host"] == "example.com" {
ssl.pemfile = "/etc/ssl/certs/example.com.pem"
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/default.pem"
ssl.cipher-list = "HIGH"
}
This config uses the "DEFAULT" cipher list for "example.com", which
includes export ciphers.
More details are available at:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
Please note that the patch is not final yet, and can't be found in SVN.
We're still discussing:
* whether other options should work in SNI context (we could
add all ssl.ca-files to all SSL_CTX instances)
* whether to set a default ssl.cipher-list, and which string to pick
regards,
Stefan