[Pkg-haproxy-maintainers] Bug#779333: unblock: pre-approval: haproxy/1.5.8-3

Vincent Bernat bernat at debian.org
Fri Feb 27 10:37:40 UTC 2015 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey!

Currently, the configuration file shipped with haproxy comes with a
cipher list where RC4 is allowed:

 kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

Since RC4 is almost broken, it seems a good idea to remove it. To keep
compatibility with older browsers, other ciphers need to be introduced
(3DES). There are many recommended cipher strings in the wild:

 https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 https://wiki.mozilla.org/Security/Server_Side_TLS
 https://github.com/cloudflare/sslconfig/blob/master/conf

We picked the first one. See the attached debdiff.

Would such a change be accepted for Jessie? Not uploaded yet.

unblock haproxy/1.5.8-3

- -- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU8EjwAAoJEJWkL+g1NSX5CKoP/27SsCHAY66Se/Ym/3P7YzN2
bKi7GCwkeIBwB7mWNKkBtGUZccOm4PNrI0nErht/qEFDK37PF2uJEIaUphoEnr8n
Th7BlAFJ7tiSaozaKAr352O3apfQ82kGDwuDs+UeUIHdUu9l6XsgN7lYtVtx6Lx9
IUhFbChblM8vjoyGKIb9636hDQVdpYDmwPgSU8sEPsS5WAWT5UdhHly/IL9gPEJg
nwg4usReOGsqzDvQZPbYNTNxkNDtA7/UMGsuZNAqNfbZPK+DpkkpgA3QX2NLuL2p
UNDEan0HwZmlXhVbJ3VHJUCs15mDoLIcN7GwORIWD5lYaL9dike30eltV1wb6h9a
TwN+iuuDNBzakrDT/3nUeNdKg/WJSZ/uCxtxvRmR5Oi6/gsLxsMSYS4aJbd5mXGz
gR+UakBkTbyq3i5xt+CGxrYcSgj6YfrxXLqVYj0/vWYBbFyRX/EL9CBlBdUaBhyt
YJPCeGwnzONL6MOlT0a1yZ3taesaxQRl3jhT1NGj73db2+E81TzRKTZ5mMTmtycx
52f1NqscmckGx2dQyM8/VzBXiNv0biA0ZcT7Xu9hRi5RcW4KZYeXVCL4YhwQe5aE
9ggIkeh7P2sSxZ1ja8PR0TBobSbiVFhI48T/YqgvPDVAv46iTnqfWI93WE/tZ117
/17uSAxT3ek7nAg2qzHK
=CXnd
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: haproxy-rc4.patch
Type: text/x-diff
Size: 1252 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-haproxy-maintainers/attachments/20150227/3641752f/attachment.patch>

More information about the Pkg-haproxy-maintainers mailing list