I believe these vulnerabilities are fixed by this recent python 2.7 patch: http://bugs.python.org/issue13636
Can you confirm? On Saturday, 19 May 2012 15:37:26 UTC-5, mcm wrote: > > Yes rocket just implements SSL using the default python ssl module. There > is some deprecated SSL connection type allowed. Those should be disabled > by default. > > mic > Il giorno 19/mag/2012 21:48, "Massimo Di Pierro" < > [email protected]> ha scritto: > >> I will need your help understand this report. >> >> If I understand it: >> >> > Session resumption No (IDs assigned but not accepted) >> >> This is not a vulnerability. Am I right? This is good because sessions >> are managed at web2py level. >> >> > BEAST attack Vulnerable INSECURE >> > Secure Renegotiation Supported, with client-initiated renegotiation >> enabled DoS DANGER >> >> These two are ssl issues. Am I right? Rocket does not implement its own >> ssl. It simply wraps the socket using the python-ssl module. Perhaps there >> is a way to configure this wrapper. It would help to know if the >> same vulnerabilities arise with other python web servers which use >> python-ssl. If not we could see what settings are different. >> >> Massimo >> >> >> On Friday, 18 May 2012 19:08:27 UTC-5, pyhead wrote: >>> >>> Analyzing web2py + Rocket (1.2.4) with the SSL Server Test reveals >>> vulnerabilities that give it an 'F' rating even when using the strongest >>> RSA 4096 bit key. web2py's mission is to provide high security by default >>> so it should be hardened to address these issues. Hopefully it is as >>> simple as changing the default configuration that ships with web2py. You >>> can test your own server here: >>> >>> https://www.ssllabs.com/**ssltest/index.html<https://www.ssllabs.com/ssltest/index.html> >>> >>> Weaknesses Reported >>> >>> Protocols >>> SSL 2.0 INSECURE Yes >>> >>> Security Vulnerabilities >>> - Session resumption No (IDs assigned but not accepted) >>> - BEAST attack Vulnerable INSECURE >>> (more info) https://community.qualys.com/** >>> blogs/securitylabs/2011/10/17/**mitigating-the-beast-attack-**on-tls<https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls> >>> - Secure Renegotiation Supported, with client-initiated renegotiation >>> enabled DoS DANGER >>> (more info) https://community.**qualys.com/blogs/securitylabs/** >>> 2011/10/31/tls-renegotiation-**and-denial-of-service-attacks<https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks> >>> >>> Cipher Suites (sorted by strength; server has no preference) >>> SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 >>> SSL_RC2_128_CBC_EXPORT40_WITH_**MD5 (0x40080) WEAK 40 >>> SSL_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 >>> TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 >>> >>>
