Package: lighttpd Version: 1.4.31-4+deb7u3 Tags: patch Hi,
looking at CVE-2014-3566 ("POODLE") it seems a very good idea to finally disable SSL 3.0 by default ("secure by default"). Please test attached patch. Cheers Christian Tacke -- www.cosmokey.com
--- ./debian/conf-available/10-ssl.conf~ 2014-08-18 05:39:29.000000000 +0200 +++ ./debian/conf-available/10-ssl.conf 2014-10-17 13:08:31.422963903 +0200 @@ -6,4 +6,5 @@ ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" ssl.honor-cipher-order = "enable" + ssl.use-sslv3 = "disable" }