Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FYI, forwarding to Vincent:
On 21.12.2011 11:39, Olaf van der Spek wrote:
> On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat@debian.org> wrote:
>> More important, lighttp uses OpenSSL which is not compatible with TLS
>> 1.2. Therefore, the above cipher list is the same as:
>> RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
>>
>> (you can check the output of "openssl ciphers")
>
> Isn't aNULL disabled by default?
> Same for MD5?
> Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL?
Vincent:
I'm sorry you're right. I was indeed misleading as I just copied the
NEWS entry I wrote for Unstable where things are slightly different. I
admit I shouldn't have copied it for Stable and Unstable as it was, as
things are not directly adaptable there.
Regarding your comments I can see how I could have been more clear but I
think the things you mentioned aren't that crucial it would justify a
new DSA. I will however reformulate some parts for the next Unstable
upload.
- --
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJO8yTGAAoJEMcrUe6dgPNtqGEP/3afytDEdlWrJ5z3O5lgfD1V
zdINEnQ36vRwni7dXHHm3q+EQ+xuoB8Ojc+rNQrGcKcAKwFrbbRaIXlvcJaZjKXQ
uirTavsdebnRlWU2U+v7Jx7ETmsKe6ozjYEurtkuB8oO2H8YQfFvREnHKtU+mliS
Na6dsp8x+JzrH9aph9ad0HelUS9Ae8RTmOy2fHuUo3fdriY5QbX5va468RrtSrws
PLD/FvYLkgETlZ10GiMIA9pBW9GmHLk/Xmy6DEFNs/k4iaxT5uVxgPGEyoD1Nyh0
6CganKOSxSWKM3mHf2j8ZgL0hFXNdvqgYOlbn6+Ik2FQjjjB9LeoCqarLo0KHhkm
rAeM8DKQQmC4frDZ6c6gIR+QqjYkkeNUMbNrp6p1gMjiHq/Q1dqda+IZSy13jmBD
YXLVLKFuhPbOpK3+J920euZvabM7Btqp4pzMQAkX8el/+PJPWlaGqL09ZMbCudN/
CtjwuY02EzUxLu/hq5CIYPILbGV0TS2UZDv3+Zj+RnwN4y+Qs0PIiFr9/7ln/ZOg
SfWIg2pkrYNZpnNJsLDa0DU269YgISSNc34Ei9vnRMa6zvgTeEuPDs+oPDw1dDbV
caJ21KqKJMbtxQK0wEISNas41bwC93Uy7SstI3HU4ppIp9n+L4+5TXEFPdHv69AX
x6W4I59FjgAvmCej89aZ
=U1jt
-----END PGP SIGNATURE-----
Reply to: