support mitigating BEAST attack, see http://forum.pfsense.org/index.php/topic,63001.0.html #683
Conversation
According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_30 "...by setting ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" you can mitigate BEAST attacks."
|
Have you tried applying this commit and ensuring that many browsers/platforms still work correctly? Of most interest would be browsers such as Safari on iOS, the Android browser (pre-Chrome), Opera, etc. If we can get confirmation that it does not negatively impact clients, then such a change is much more likely to be merged in. |
|
I've only tested it with Chrome, Firefox and MSIE8 on Windows & Linux. However since this is lighttpd's "official" fix to mitigate the risk of BEAST attacks, and it has been published almost 1.5 year ago, and I couldn't find any reports about incompatibilities, I would assume it's reasonably safe to merge. Btw haven't you heard from any of your commercial support customers about failing a PCI audit due to the BEAST issue ? (because I've found quite a few such posts online) |
|
We maybe have seen 1-2 complaints but it wasn't a critical thing at the time since access was very restricted by those customers to get around it. The existing cipher list was crafted because of brokenness in Safari on iOS so I'd at least like to see it tested there before moving forward with the fix. |
|
So far it seems OK on: Seems solid from what I can see, that should cover just about every major platform and/or browser. I'll go ahead and merge it. |
support mitigating BEAST attack, see http://forum.pfsense.org/index.php/topic,63001.0.html
According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_30
"...by setting
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
you can mitigate BEAST attacks."
See discussion at http://forum.pfsense.org/index.php/topic,63001.0.html