On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat@debian.org> wrote: > More important, lighttp uses OpenSSL which is not compatible with TLS > 1.2. Therefore, the above cipher list is the same as: > RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM > > (you can check the output of "openssl ciphers") Isn't aNULL disabled by default? Same for MD5? Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL? Olaf