Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update

To: debian-security@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Subject: Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
From: Olaf van der Spek <olafvdspek@gmail.com>
Date: Wed, 21 Dec 2011 11:39:32 +0100
Message-id: <[🔎] CAA7U3HOd2OnXcOFQHy19MWverzfU=FkUSERcBim8QQVPOp=RkA@mail.gmail.com>
In-reply-to: <[🔎] m3zkems78i.fsf@neo.luffy.cx>
References: <20111221002451.GA10089@ngolde.de> <[🔎] m3zkems78i.fsf@neo.luffy.cx>

On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat@debian.org> wrote:
> More important,  lighttp uses OpenSSL  which is not compatible  with TLS
> 1.2. Therefore, the above cipher list is the same as:
>  RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
>
> (you can check the output of "openssl ciphers")

Isn't aNULL disabled by default?
Same for MD5?
Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL?

Olaf

Reply to:

Follow-Ups:
- Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
  - From: Nico Golde <debian-security+ml@ngolde.de>
- Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
  - From: Arno Töll <debian@toell.net>

References:
- Re: [SECURITY] [DSA 2368-1] lighttpd security update
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Re: [SECURITY] [DSA 2368-1] lighttpd security update
Next by Date: Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
Previous by thread: Re: [SECURITY] [DSA 2368-1] lighttpd security update
Next by thread: Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
Index(es):
- Date
- Thread