On 16 October 2014 10:44, brian m. carlson <sand...@crustytoothpaste.net> wrote:
> Unfortunately, not all upstreams make good decisions. OpenSSL ships > with a set of default ciphers that is completely insecure. There is no > reason that every application using OpenSSL directly or indirectly[0] > should have to disable exportable ciphers, especially since almost > nobody uses them (nor wants to). HIGH:MEDIUM:!aNULL is a better > default. > What about security updates? Should Debian be releasing wheezy security updates for browsers, web servers, etc, that disable SSLv3 by default now that SSLv3 is considered insecure? -- Brian May <br...@microcomaustralia.com.au>
