Package: tf5 Version: 5.0beta8-5+b1 Severity: important TinyFugue, when compiled from upstream source against OpenSSL, is capable of the full set of expected ciphersuites (up to and including TLSv1.2), such as those utilizing AES-GCM and EC Diffie-Hellman. The version packaged in Debian, compiled against GnuTLS, is only capable of SSLv3/TLSv1 negotiation, and only then with servers that do not require (EC)DH negotiation. This could render the client unusable for servers that enforce more modern security policies.
TinyFugue when compiled against OpenSSL: % Connected to (unnamed1) using cipher ECDHE-RSA-AES128-GCM-SHA256. TinyFugue when compiled against GnuTLS, same site: % Connected to (unnamed1) using cipher RSA_AES_128_CBC_SHA1. -- System Information: Debian Release: 8.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tf5 depends on: ii libc6 2.19-18+deb8u6 ii libgnutls-openssl27 3.3.8-6+deb8u3 ii libpcre3 2:8.35-3.3+deb8u4 ii libtinfo5 5.9+20140913-1+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 tf5 recommends no packages. Versions of packages tf5 suggests: pn spell <none> -- no debconf information
