On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote: > I attached a new debdiff with a more meaningful changelog. > > +servefile (0.4.4-1~deb8u1) jessie; urgency=high > + > + * Upstream bugfix release > + * Fix for path traversal bug in directory listing mode > + * SSL hardening (prefer TLS1.2/TLS1)
Thanks. + # choose TLS1.2 or TLS1, if available + sslMethod = None + if hasattr(SSL, "TLSv1_2_METHOD"): + sslMethod = SSL.TLSv1_2_METHOD + elif hasattr(SSL, "TLSv1_METHOD"): + sslMethod = SSL.TLSv1_METHOD Why is TLS1.1 explicitly avoided here? Might it make more sense to use TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server negotiate the highest mutually-supported protocol? Regards, Adam
