OpenBMC and https Vulnerable issue.
Bruce Mitchell
Bruce_Mitchell at phoenix.com
Thu Nov 7 06:31:55 AEDT 2019
>From my investigations on TLS there seems to be 2 issues that could be corrected with OpenBMC's https:
1 Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
2 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS
and xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Present standard of practice seems to be to not allow Secure Client-Initiated Renegotiation and to not allow CBC ciphers.
Is this your understanding as well?
Thank you!
--
Bruce Mitchell
More information about the openbmc
mailing list