Package: libssl1.0.0 Version: 1.0.1f-1 Severity: important Tags: security The default cipher list for OpenSSL is not secure. It includes low-strength and export ciphers, which should not be enabled unless absolutely necessary. Other TLS implementations do not do this, and neither should OpenSSL. This also forces every user of OpenSSL to configure sensible defaults instead of doing it in one place.
An acceptable default would be HIGH:MEDIUM:!aNULL:!eNULL:!MD5. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii cdebconf [debconf-2.0] 0.187 ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii multiarch-support 2.17-97 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information excluded -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature

