[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault



On 16 October 2014 10:44, brian m. carlson <sandals@crustytoothpaste.net> wrote:
Unfortunately, not all upstreams make good decisions.  OpenSSL ships
with a set of default ciphers that is completely insecure.  There is no
reason that every application using OpenSSL directly or indirectly[0]
should have to disable exportable ciphers, especially since almost
nobody uses them (nor wants to).  HIGH:MEDIUM:!aNULL is a better
default.

What about security updates? Should Debian be releasing wheezy security updates for browsers,  web servers, etc, that disable SSLv3 by default now that SSLv3 is considered insecure?
-- 
Brian May <brian@microcomaustralia.com.au>

Reply to: