OpenBMC and https Vulnerable issue.

Bruce Mitchell Bruce_Mitchell at phoenix.com
Thu Nov 7 06:31:55 AEDT 2019


>From my investigations on TLS there seems to be 2 issues that could be corrected with OpenBMC's https:
  1  Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS threat
  2  LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS 
     and xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 521   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Present standard of practice seems to be to not allow Secure Client-Initiated Renegotiation and to not allow CBC ciphers.

Is this your understanding as well?

Thank you!

-- 
Bruce Mitchell



More information about the openbmc mailing list