Yes, the patch worked. The test was run on Rocket and Python 2.7.1, the default on Mac OS X. Upgrading to Python 2.7.3 disabled the insecure SSL 2.0 and <128 bit ciphers.
On Saturday, May 19, 2012 10:39:27 PM UTC-5, Massimo Di Pierro wrote: > > I believe these vulnerabilities are fixed by this recent python 2.7 patch: > > http://bugs.python.org/issue13636 > > Can you confirm? > > On Saturday, 19 May 2012 15:37:26 UTC-5, mcm wrote: >> >> Yes rocket just implements SSL using the default python ssl module. There >> is some deprecated SSL connection type allowed. Those should be disabled >> by default. >> >> mic >> Il giorno 19/mag/2012 21:48, "Massimo Di Pierro" < >> [email protected]> ha scritto: >> >>> I will need your help understand this report. >>> >>> If I understand it: >>> >>> > Session resumption No (IDs assigned but not accepted) >>> >>> This is not a vulnerability. Am I right? This is good because sessions >>> are managed at web2py level. >>> >>> > BEAST attack Vulnerable INSECURE >>> > Secure Renegotiation Supported, with client-initiated renegotiation >>> enabled DoS DANGER >>> >>> These two are ssl issues. Am I right? Rocket does not implement its own >>> ssl. It simply wraps the socket using the python-ssl module. Perhaps there >>> is a way to configure this wrapper. It would help to know if the >>> same vulnerabilities arise with other python web servers which use >>> python-ssl. If not we could see what settings are different. >>> >>> Massimo >>> >>> >>> On Friday, 18 May 2012 19:08:27 UTC-5, pyhead wrote: >>>> >>>> Analyzing web2py + Rocket (1.2.4) with the SSL Server Test reveals >>>> vulnerabilities that give it an 'F' rating even when using the strongest >>>> RSA 4096 bit key. web2py's mission is to provide high security by default >>>> so it should be hardened to address these issues. Hopefully it is as >>>> simple as changing the default configuration that ships with web2py. You >>>> can test your own server here: >>>> >>>> https://www.ssllabs.com/**ssltest/index.html<https://www.ssllabs.com/ssltest/index.html> >>>> >>>> Weaknesses Reported >>>> >>>> Protocols >>>> SSL 2.0 INSECURE Yes >>>> >>>> Security Vulnerabilities >>>> - Session resumption No (IDs assigned but not accepted) >>>> - BEAST attack Vulnerable INSECURE >>>> (more info) https://community.qualys.com/** >>>> blogs/securitylabs/2011/10/17/**mitigating-the-beast-attack-**on-tls<https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls> >>>> - Secure Renegotiation Supported, with client-initiated renegotiation >>>> enabled DoS DANGER >>>> (more info) https://community.**qualys.com/blogs/securitylabs/** >>>> 2011/10/31/tls-renegotiation-**and-denial-of-service-attacks<https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks> >>>> >>>> Cipher Suites (sorted by strength; server has no preference) >>>> SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 >>>> SSL_RC2_128_CBC_EXPORT40_WITH_**MD5 (0x40080) WEAK 40 >>>> SSL_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 >>>> TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 >>>> >>>>
