Analyzing web2py + Rocket (1.2.4) with the SSL Server Test reveals vulnerabilities that give it an 'F' rating even when using the strongest RSA 4096 bit key. web2py's mission is to provide high security by default so it should be hardened to address these issues. Hopefully it is as simple as changing the default configuration that ships with web2py. You can test your own server here:
https://www.ssllabs.com/ssltest/index.html Weaknesses Reported Protocols SSL 2.0 INSECURE Yes Security Vulnerabilities - Session resumption No (IDs assigned but not accepted) - BEAST attack Vulnerable INSECURE (more info) https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls - Secure Renegotiation Supported, with client-initiated renegotiation enabled DoS DANGER (more info) https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks Cipher Suites (sorted by strength; server has no preference) SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 SSL_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) WEAK 40 SSL_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
