[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update



On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat@debian.org> wrote:
> More important,  lighttp uses OpenSSL  which is not compatible  with TLS
> 1.2. Therefore, the above cipher list is the same as:
>  RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
>
> (you can check the output of "openssl ciphers")

Isn't aNULL disabled by default?
Same for MD5?
Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL?

Olaf


Reply to: