Closed GoogleCodeExporter closed 8 years ago
Note that just disabling the spdy module in Apache won't work, because the SSL
library itself is replaced. Easiest fix on Debian is to remove the mod-spdy
package from the system (for now).
Original comment by m...@praseodym.net
on 8 Apr 2014 at 10:38
Thanks for the report.
This has now been fixed in trunk and in the latest branch/tag, but we are
working to update the binary releases ASAP.
If you have built mod_spdy from source, you should immediately rebuild from
trunk or from tag 0.9.4.2 ***including re-running build_modssl_with_npn.sh to
rebuild mod_ssl***. If you have installed mod_spdy from one of the binary
packages, you should uninstall the package (as mark@ notes above, don't just
disable mod_spdy) until new binaries are available.
I will update this bug when the new binaries are up, hopefully in the next 24
hours.
Original comment by mdste...@google.com
on 8 Apr 2014 at 8:00
I can confirm that my web server remained vulnerable to CVE-2014-0160 after
updating openssl, and removing mod-spdy fixed it.
Original comment by jeka...@gmail.com
on 8 Apr 2014 at 8:58
New binaries for 0.9.4.2 (which fixes this vulnerability) have been rolled out,
and are available here: https://developers.google.com/speed/spdy/mod_spdy/
If you've installed one of our previous binary releases (and did not disable
auto-update), you should be able to easily upgrade using your package manager
(apt or yum).
I'll be making an announcement to the mod-spdy-discuss list shortly.
Original comment by mdste...@google.com
on 8 Apr 2014 at 10:24
Email announcement:
https://groups.google.com/forum/#!topic/mod-spdy-discuss/EwCowyS1KTU
Original comment by mdste...@google.com
on 8 Apr 2014 at 10:39
Issue 86 has been merged into this issue.
Original comment by mdste...@google.com
on 9 Apr 2014 at 12:02
I can confirm that the new binary packages are solving the issue: my server is
not vulnerable to CVE-2014-0160 after installed and enabled the new mod_spdy
package.
Thanks, the response time was awesome.
Original comment by csanad.n...@gmail.com
on 9 Apr 2014 at 12:29
Yes, this was fixed. But now the new mod-spdy-beta produces other insecurities:
After installing it, I checked my server with
https://www.ssllabs.com/ssltest/analyze.html and get: "This server supports
anonymous (insecure) suites (see below for details). Grade set to F."
Deinstalling mod-spdy-beta had fixed that. Please, can you fix this? Thanks.
Original comment by AndreasP...@gmail.com
on 9 Apr 2014 at 5:42
Hi Andreas,
Most probably you've got a different issue. My installation got a grade A with
the latest mod_spdy enabled.
Original comment by csanad.n...@gmail.com
on 9 Apr 2014 at 5:48
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
And: With this version, TLS 1.2 and 1.1 are not supported, only TLS 1.0 - or
are there any config files I don't know?
Original comment by AndreasP...@gmail.com
on 9 Apr 2014 at 5:48
@Andreas: I had the same problem after removing and then reinstalling
mod-spdy-beta on an Ubuntu LTS server. I could fix my grade and bring it to A+
again by simply copying the setting recommended of
https://bettercrypto.org/static/applied-crypto-hardening.pdf for Apache
(section 2.2.1) into my default config and restarting Apache. I think the
important part of that was the SSLCipherSuite which has been set to
SSLCipherSuite
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EEC
DH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD
5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AE
S128-SHA'
Original comment by norbert....@gmail.com
on 9 Apr 2014 at 9:15
@Adreas:
I updated my SSLCipherSuite to be
SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5:!ECDH
This blocks the ECDH keys that are failing the test.
I first tried Norberts list and it worked for the test but it broke SPDY.
I went to the site http://spdycheck.org/ to test if SPDY was working, and it
wasn't.
After I changed it to the one I suggested above, SPDY works, and QUALSYS is
Happy.
WIN!
Original comment by evan.swe...@gmail.com
on 14 Apr 2014 at 11:18
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
Original comment by snbtruck...@gmail.com
on 14 May 2014 at 9:08
Port 43
Original comment by 208.426....@gmail.com
on 31 Oct 2014 at 6:04
Original issue reported on code.google.com by
csanad.n...@gmail.com
on 8 Apr 2014 at 8:55