The following flaw was reported [1] in lighttpd. Currently a patch is in progress [2] but is not yet complete. Lighttpd supported SNI (Server Name Indication) since version 1.4.24, and a typical SNI configuration would look like: $HTTP["Host"] == "example.com" { ssl.pemfile = "/etc/ssl/certs/example.com.pem" } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/certs/default.pem" ssl.cipher-list = "HIGH" } This configuration is vulnerable as it will use ssl.cipher-list = "DEFAULT" for "example.com", which contains vulnerable cipher suites. [1] http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt [2] http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_ssl_sni.patch
Created lighttpd tracking bugs for this issue: Affects: fedora-all [bug 1026567] Affects: epel-all [bug 1026568]
Fixed in: lighttpd-1.4.34-1.el5.1 lighttpd-1.4.34-1.el6 lighttpd-1.4.34-3.fc19 lighttpd-1.4.34-3.fc20