Bug#804787: jessie-pu: package servefile/0.4.3-1
On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> I attached a new debdiff with a more meaningful changelog.
>
> +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> +
> + * Upstream bugfix release
> + * Fix for path traversal bug in directory listing mode
> + * SSL hardening (prefer TLS1.2/TLS1)
Thanks.
+ # choose TLS1.2 or TLS1, if available
+ sslMethod = None
+ if hasattr(SSL, "TLSv1_2_METHOD"):
+ sslMethod = SSL.TLSv1_2_METHOD
+ elif hasattr(SSL, "TLSv1_METHOD"):
+ sslMethod = SSL.TLSv1_METHOD
Why is TLS1.1 explicitly avoided here? Might it make more sense to use
TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server negotiate
the highest mutually-supported protocol?
Regards,
Adam
Reply to: