[pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
Olaf van der Spek
olafvdspek at gmail.com
Wed Dec 21 10:39:32 UTC 2011
On Wed, Dec 21, 2011 at 8:40 AM, Vincent Bernat <bernat at debian.org> wrote:
> More important, lighttp uses OpenSSL which is not compatible with TLS
> 1.2. Therefore, the above cipher list is the same as:
> RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
>
> (you can check the output of "openssl ciphers")
Isn't aNULL disabled by default?
Same for MD5?
Shouldn't this be handled in OpenSSL instead of in every app using OpenSLL?
Olaf
More information about the pkg-lighttpd-maintainers
mailing list