Hi, * Olaf van der Spek <olafvdspek@gmail.com> [2011-12-21 12:01]: > On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat@debian.org> wrote: > > More important, lighttp uses OpenSSL which is not compatible with TLS > > 1.2. Therefore, the above cipher list is the same as: > > RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM > > > > (you can check the output of "openssl ciphers") > > Isn't aNULL disabled by default? > Same for MD5? > Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL? There would've been no DSA for this issue alone. But since the signedness issue was fixed anyway it seems pointless to not include another improvement in the same update. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpqZTpaAJenl.pgp
Description: PGP signature