Comments (14)
Note that just disabling the spdy module in Apache won't work, because the SSL
library itself is replaced. Easiest fix on Debian is to remove the mod-spdy
package from the system (for now).
Original comment by [email protected]
on 8 Apr 2014 at 10:38
from mod-spdy.
Thanks for the report.
This has now been fixed in trunk and in the latest branch/tag, but we are
working to update the binary releases ASAP.
If you have built mod_spdy from source, you should immediately rebuild from
trunk or from tag 0.9.4.2 ***including re-running build_modssl_with_npn.sh to
rebuild mod_ssl***. If you have installed mod_spdy from one of the binary
packages, you should uninstall the package (as mark@ notes above, don't just
disable mod_spdy) until new binaries are available.
I will update this bug when the new binaries are up, hopefully in the next 24
hours.
Original comment by [email protected]
on 8 Apr 2014 at 8:00
- Changed state: Started
- Added labels: Priority-Critical, Security
- Removed labels: Priority-Medium
from mod-spdy.
I can confirm that my web server remained vulnerable to CVE-2014-0160 after
updating openssl, and removing mod-spdy fixed it.
Original comment by [email protected]
on 8 Apr 2014 at 8:58
from mod-spdy.
New binaries for 0.9.4.2 (which fixes this vulnerability) have been rolled out,
and are available here: https://developers.google.com/speed/spdy/mod_spdy/
If you've installed one of our previous binary releases (and did not disable
auto-update), you should be able to easily upgrade using your package manager
(apt or yum).
I'll be making an announcement to the mod-spdy-discuss list shortly.
Original comment by [email protected]
on 8 Apr 2014 at 10:24
- Changed state: Fixed
from mod-spdy.
Email announcement:
https://groups.google.com/forum/#!topic/mod-spdy-discuss/EwCowyS1KTU
Original comment by [email protected]
on 8 Apr 2014 at 10:39
from mod-spdy.
Issue 86 has been merged into this issue.
Original comment by [email protected]
on 9 Apr 2014 at 12:02
from mod-spdy.
I can confirm that the new binary packages are solving the issue: my server is
not vulnerable to CVE-2014-0160 after installed and enabled the new mod_spdy
package.
Thanks, the response time was awesome.
Original comment by [email protected]
on 9 Apr 2014 at 12:29
from mod-spdy.
Yes, this was fixed. But now the new mod-spdy-beta produces other insecurities:
After installing it, I checked my server with
https://www.ssllabs.com/ssltest/analyze.html and get: "This server supports
anonymous (insecure) suites (see below for details). Grade set to F."
Deinstalling mod-spdy-beta had fixed that. Please, can you fix this? Thanks.
Original comment by [email protected]
on 9 Apr 2014 at 5:42
from mod-spdy.
Hi Andreas,
Most probably you've got a different issue. My installation got a grade A with
the latest mod_spdy enabled.
Original comment by [email protected]
on 9 Apr 2014 at 5:48
from mod-spdy.
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
And: With this version, TLS 1.2 and 1.1 are not supported, only TLS 1.0 - or
are there any config files I don't know?
Original comment by [email protected]
on 9 Apr 2014 at 5:48
from mod-spdy.
@Andreas: I had the same problem after removing and then reinstalling
mod-spdy-beta on an Ubuntu LTS server. I could fix my grade and bring it to A+
again by simply copying the setting recommended of
https://bettercrypto.org/static/applied-crypto-hardening.pdf for Apache
(section 2.2.1) into my default config and restarting Apache. I think the
important part of that was the SSLCipherSuite which has been set to
SSLCipherSuite
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EEC
DH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD
5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AE
S128-SHA'
Original comment by [email protected]
on 9 Apr 2014 at 9:15
from mod-spdy.
@Adreas:
I updated my SSLCipherSuite to be
SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5:!ECDH
This blocks the ECDH keys that are failing the test.
I first tried Norberts list and it worked for the test but it broke SPDY.
I went to the site http://spdycheck.org/ to test if SPDY was working, and it
wasn't.
After I changed it to the one I suggested above, SPDY works, and QUALSYS is
Happy.
WIN!
Original comment by [email protected]
on 14 Apr 2014 at 11:18
from mod-spdy.
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
Original comment by [email protected]
on 14 May 2014 at 9:08
from mod-spdy.
Port 43
Original comment by [email protected]
on 31 Oct 2014 at 6:04
from mod-spdy.
Related Issues (20)
- NPN didn't happen during SSL handshake.
- Solaris build problem in linux/python_arch.sh
- High Memory/CPU usage
- Heartbleed fix for static copy of openssl HOT 1
- Support VirtualHost directive SpdyEnabled off
- spdy not working
- Failed dependencies - mod_ssl
- mod_spdy fails with a segmentation fault HOT 3
- Always get "This webpage has a redirect loop" after install mod-spdy HOT 3
- event mpm on apache 2.2 with mod_spdy segfaults
- Access to archive versions HOT 2
- SSL Certificate Error with mod_spdy active HOT 3
- Provide mod_spdy packages with openssl 1.0.1i
- TLS_FALLBACK_SCSV Support HOT 3
- ls:q
- 503 Errors when using mod_spdy with AJP proxy
- SPDY breaks DNSSec/TLSA because of wrong TLS certificate reusing
- Chrome has deprecated SPDY/3.0? HOT 1
- Debian package mod-spdy-beta depends on apache2.2-common which is deprecated
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mod-spdy.