I will need your help understand this report. If I understand it:
> Session resumption No (IDs assigned but not accepted) This is not a vulnerability. Am I right? This is good because sessions are managed at web2py level. > BEAST attack Vulnerable INSECURE > Secure Renegotiation Supported, with client-initiated renegotiation enabled DoS DANGER These two are ssl issues. Am I right? Rocket does not implement its own ssl. It simply wraps the socket using the python-ssl module. Perhaps there is a way to configure this wrapper. It would help to know if the same vulnerabilities arise with other python web servers which use python-ssl. If not we could see what settings are different. Massimo On Friday, 18 May 2012 19:08:27 UTC-5, pyhead wrote: > > Analyzing web2py + Rocket (1.2.4) with the SSL Server Test reveals > vulnerabilities that give it an 'F' rating even when using the strongest > RSA 4096 bit key. web2py's mission is to provide high security by default > so it should be hardened to address these issues. Hopefully it is as > simple as changing the default configuration that ships with web2py. You > can test your own server here: > > https://www.ssllabs.com/ssltest/index.html > > Weaknesses Reported > > Protocols > SSL 2.0 INSECURE Yes > > Security Vulnerabilities > - Session resumption No (IDs assigned but not accepted) > - BEAST attack Vulnerable INSECURE > (more info) > https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls > - Secure Renegotiation Supported, with client-initiated renegotiation > enabled DoS DANGER > (more info) > https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks > > Cipher Suites (sorted by strength; server has no preference) > SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 > SSL_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) WEAK 40 > SSL_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 > TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 > >
