Bug#765702: lighttpd: Disable SSL 3.0
Package: lighttpd Version: 1.4.31-4+deb7u3 Tags: patch Hi, looking at CVE-2014-3566 (POODLE) it seems a very good idea to finally disable SSL 3.0 by default (secure by default). Please test attached patch. Cheers Christian Tacke -- www.cosmokey.com --- ./debian/conf-available/10-ssl.conf~ 2014-08-18 05:39:29.0 +0200 +++ ./debian/conf-available/10-ssl.conf 2014-10-17 13:08:31.422963903 +0200 @@ -6,4 +6,5 @@ ssl.cipher-list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM ssl.honor-cipher-order = enable + ssl.use-sslv3 = disable }
Bug#765702: lighttpd: Disable SSL 3.0
Hi, On Fri, 17 Oct 2014 14:39:52 +0200 Christian Tacke christian.tacke+debian@cosmokey.com wrote: Hi, looking at CVE-2014-3566 (POODLE) it seems a very good idea to finally disable SSL 3.0 by default (secure by default). Please test attached patch. I'd say go with this instead: http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/commit/?id=084df7e99a8738be79f83e330415a8963280dc4a You can still add the option in the config example of course, or just mention its existance there. regards, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765702: lighttpd: Disable SSL 3.0
Hi, On Fri, Oct 17, 2014 at 18:47:50 +0200, Stefan Bühler wrote: [...] I'd say go with this instead: http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/commit/?id=084df7e99a8738be79f83e330415a8963280dc4a That also works of course. Go with whatever makes maintainers happy. Just please consider backporting to stable and even squeeze-lts. You can still add the option in the config example of course, or just mention its existance there. Yeah, mentioning it might be a good option, so people who absolutely need sslv3 have an easy knob to change. regards, Stefan Cheers Christian -- www.cosmokey.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org