[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update



Hi,
* Olaf van der Spek <olafvdspek@gmail.com> [2011-12-21 12:01]:
> On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat@debian.org> wrote:
> > More important,  lighttp uses OpenSSL  which is not compatible  with TLS
> > 1.2. Therefore, the above cipher list is the same as:
> >  RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
> >
> > (you can check the output of "openssl ciphers")
> 
> Isn't aNULL disabled by default?
> Same for MD5?
> Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL?

There would've been no DSA for this issue alone. But since the signedness 
issue was fixed anyway it seems pointless to not include another improvement 
in the same update.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpqZTpaAJenl.pgp
Description: PGP signature


Reply to: