Bug#765702: lighttpd: Disable SSL 3.0

Christian Tacke Fri, 17 Oct 2014 05:48:56 -0700

Package: lighttpd
Version: 1.4.31-4+deb7u3
Tags: patch

Hi,


looking at CVE-2014-3566 ("POODLE") it seems a very good
idea to finally disable SSL 3.0 by default ("secure by
default"). Please test attached patch.

Cheers

Christian Tacke

-- 
www.cosmokey.com

--- ./debian/conf-available/10-ssl.conf~	2014-08-18 05:39:29.000000000 +0200
+++ ./debian/conf-available/10-ssl.conf	2014-10-17 13:08:31.422963903 +0200
@@ -6,4 +6,5 @@
 
 	ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
 	ssl.honor-cipher-order = "enable"
+	ssl.use-sslv3 = "disable"
 }

Bug#765702: lighttpd: Disable SSL 3.0

Reply via email to