On Fri, 2016-01-01 at 18:08 +0000, Adam D. Barratt wrote: > On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote: > > I attached a new debdiff with a more meaningful changelog. > > > > +servefile (0.4.4-1~deb8u1) jessie; urgency=high > > + > > + * Upstream bugfix release > > + * Fix for path traversal bug in directory listing mode > > + * SSL hardening (prefer TLS1.2/TLS1) > > Thanks. > > + # choose TLS1.2 or TLS1, if available > + sslMethod = None > + if hasattr(SSL, "TLSv1_2_METHOD"): > + sslMethod = SSL.TLSv1_2_METHOD > + elif hasattr(SSL, "TLSv1_METHOD"): > + sslMethod = SSL.TLSv1_METHOD > > Why is TLS1.1 explicitly avoided here? Might it make more sense to > use > TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server > negotiate > the highest mutually-supported protocol? >
Ping? The above mail was sent nearly 2.5 years ago, and there's been no follow-up. The window for getting fixes into jessie before it becomes LTS closes during the coming weekend. Regards, Adam
