Yes rocket just implements SSL using the default python ssl module. There is some deprecated SSL connection type allowed. Those should be disabled by default.
mic Il giorno 19/mag/2012 21:48, "Massimo Di Pierro" <[email protected]> ha scritto: > I will need your help understand this report. > > If I understand it: > > > Session resumption No (IDs assigned but not accepted) > > This is not a vulnerability. Am I right? This is good because sessions are > managed at web2py level. > > > BEAST attack Vulnerable INSECURE > > Secure Renegotiation Supported, with client-initiated renegotiation > enabled DoS DANGER > > These two are ssl issues. Am I right? Rocket does not implement its own > ssl. It simply wraps the socket using the python-ssl module. Perhaps there > is a way to configure this wrapper. It would help to know if the > same vulnerabilities arise with other python web servers which use > python-ssl. If not we could see what settings are different. > > Massimo > > > On Friday, 18 May 2012 19:08:27 UTC-5, pyhead wrote: >> >> Analyzing web2py + Rocket (1.2.4) with the SSL Server Test reveals >> vulnerabilities that give it an 'F' rating even when using the strongest >> RSA 4096 bit key. web2py's mission is to provide high security by default >> so it should be hardened to address these issues. Hopefully it is as >> simple as changing the default configuration that ships with web2py. You >> can test your own server here: >> >> https://www.ssllabs.com/**ssltest/index.html<https://www.ssllabs.com/ssltest/index.html> >> >> Weaknesses Reported >> >> Protocols >> SSL 2.0 INSECURE Yes >> >> Security Vulnerabilities >> - Session resumption No (IDs assigned but not accepted) >> - BEAST attack Vulnerable INSECURE >> (more info) https://community.qualys.com/** >> blogs/securitylabs/2011/10/17/**mitigating-the-beast-attack-**on-tls<https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls> >> - Secure Renegotiation Supported, with client-initiated renegotiation >> enabled DoS DANGER >> (more info) https://community.**qualys.com/blogs/securitylabs/** >> 2011/10/31/tls-renegotiation-**and-denial-of-service-attacks<https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks> >> >> Cipher Suites (sorted by strength; server has no preference) >> SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 >> SSL_RC2_128_CBC_EXPORT40_WITH_**MD5 (0x40080) WEAK 40 >> SSL_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 >> TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 >> >>
