NetBSD Problem Report #51278
From www@NetBSD.org Sun Jun 26 14:09:56 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 5351C7A478
for <gnats-bugs@gnats.NetBSD.org>; Sun, 26 Jun 2016 14:09:56 +0000 (UTC)
Message-Id: <20160626140955.64EBB7AB3C@mollari.NetBSD.org>
Date: Sun, 26 Jun 2016 14:09:55 +0000 (UTC)
From: k+netbsd@karlos.cz
Reply-To: k+netbsd@karlos.cz
To: gnats-bugs@NetBSD.org
Subject: bozohttpd limited cipher sets after upgrade to NetBSD 7.0.1
X-Send-Pr-Version: www-1.0
>Number: 51278
>Category: bin
>Synopsis: bozohttpd limited cipher sets after upgrade to NetBSD 7.0.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 26 14:10:01 +0000 2016
>Closed-Date: Tue Aug 24 09:54:14 +0000 2021
>Last-Modified: Sun Feb 04 06:15:03 +0000 2024
>Originator: Karel Hendrych
>Release:
>Organization:
>Environment:
NetBSD shell.jnpr.cz 7.0.1 NetBSD 7.0.1 (GENERIC.201605221355Z) amd64
>Description:
After upgrading to NetBSD 7.0.1 bozohttpd seem to have limited cipher sets. No DH sets. Without -z parameter only following are working:
OK: AES256-GCM-SHA384
OK: AES256-SHA256
OK: AES128-GCM-SHA256
OK: AES128-SHA256
-z HIGH parameter:
OK: AES256-GCM-SHA384
OK: AES256-SHA256
OK: AES256-SHA
OK: CAMELLIA256-SHA
OK: AES128-GCM-SHA256
OK: AES128-SHA256
OK: AES128-SHA
OK: CAMELLIA128-SHA
OK: DES-CBC3-SHA
-z ALL:
OK: AES256-GCM-SHA384
OK: AES256-SHA256
OK: AES256-SHA
OK: CAMELLIA256-SHA
OK: AES128-GCM-SHA256
OK: AES128-SHA256
OK: AES128-SHA
OK: SEED-SHA
OK: CAMELLIA128-SHA
OK: IDEA-CBC-SHA
OK: RC4-SHA
OK: RC4-MD5
OK: DES-CBC3-SHA
Anyone seeing the same? Didn't dig deeper than quick black box like test.
Thanks!
>How-To-Repeat:
Install SSL (in my case RSA) certificate and try:
for i in `openssl ciphers -v | cut -f 1 -d " "`; do echo | openssl s_client -host localhost -port 443 -cipher $i &> /dev/null && echo "OK: $i" || echo "FAIL: $i"; done
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Tue, 24 Aug 2021 09:54:14 +0000
State-Changed-Why:
updated list of ciphers has been commited.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51278 CVS commit: src/libexec/httpd
Date: Tue, 24 Aug 2021 09:53:26 +0000
Module Name: src
Committed By: mrg
Date: Tue Aug 24 09:53:26 UTC 2021
Modified Files:
src/libexec/httpd: CHANGES ssl-bozo.c
Log Message:
extend the list of available ciphers to include most of the
openssl "HIGH" with some additional disables. retain the current
list of bad options. should deal with PR#51278.
To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.51 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.30 -r1.31 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51278 CVS commit: pkgsrc/www/bozohttpd
Date: Wed, 18 May 2022 00:46:46 +0000
Module Name: pkgsrc
Committed By: mrg
Date: Wed May 18 00:46:46 UTC 2022
Modified Files:
pkgsrc/www/bozohttpd: Makefile distinfo
Log Message:
update to bozohttpd 20220517. changes include:
o remove obsolete .bzdirect handling.
o new "-m tlsversion" option to set the minimum TLS version
available. partially from <sunil@nimmagadda.net>.
o extend the list of available ciphers to include most of the
openssl "HIGH" with some additional disables. retain the current
list of bad options. should deal with PR#51278.
o don't assume host BUFSIZ is sufficient. small BUFSIZ leads to
always happens errors in the testsuite. switch all these buffers
to be 4KiB sized. reported by embr <git@liclac.eu>
o fix a denial of service attack against initial request contents,
now bounded at 16KiB. reported by Justin Parrott in PR#56085
o new support for content types: .tar.bz2, .tar.xz, .tar.lz,
.tar.zst, .tbz2, .txz, .tlz, .zipx, .xz, .zst, .sz, .lz, .lzma,
.lzo, .7z, .lzo, .cab, .dmg, .jar, and .rar. should fix
netbsd PR#56026:
MIME type of .tar.xz file on ny{cdn,ftp}.NetBSD.org is invalid
o fix various NULL derefs from malformed headers. mostly from
<emily@ingalls.rocks>.
o fix memory leaks in library interface: add bozo_cleanup().
To generate a diff of this commit:
cvs rdiff -u -r1.97 -r1.98 pkgsrc/www/bozohttpd/Makefile
cvs rdiff -u -r1.76 -r1.77 pkgsrc/www/bozohttpd/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51278 CVS commit: pkgsrc/www/bozohttpd
Date: Sun, 4 Feb 2024 06:13:49 +0000
Module Name: pkgsrc
Committed By: mrg
Date: Sun Feb 4 06:13:49 UTC 2024
Modified Files:
pkgsrc/www/bozohttpd: Makefile distinfo
Log Message:
update to bozohttpd 20240126.
changes include:
o add some more default mime types.
o fix memory leaks. from shm.
o fix reading 2 bytes beyond '%', possibly not mapped. from shm.
o support openssl 3. from christos.
o add -q option to not log. from martin.
o fix default return value of bozo_set_defaults(), PR#54785.
o remove obsolete .bzdirect handling.
o new "-m tlsversion" option to set the minimum TLS version
available. partially from <sunil@nimmagadda.net>.
o extend the list of available ciphers to include most of the
openssl "HIGH" with some additional disables. retain the current
list of bad options. should deal with PR#51278.
To generate a diff of this commit:
cvs rdiff -u -r1.99 -r1.100 pkgsrc/www/bozohttpd/Makefile
cvs rdiff -u -r1.77 -r1.78 pkgsrc/www/bozohttpd/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.