Control: tags -1 help Justin Coffman <[email protected]> writes:
> Package: tf5 > Version: 5.0beta8-5+b1 > Severity: important > TinyFugue, when compiled from upstream source against OpenSSL, is > capable of the full set of expected ciphersuites (up to and including > TLSv1.2), such as those utilizing AES-GCM and EC Diffie-Hellman. The > version packaged in Debian, compiled against GnuTLS, is only capable of > SSLv3/TLSv1 negotiation, and only then with servers that do not require > (EC)DH negotiation. This could render the client unusable for servers > that enforce more modern security policies. > TinyFugue when compiled against OpenSSL: > % Connected to (unnamed1) using cipher ECDHE-RSA-AES128-GCM-SHA256. > TinyFugue when compiled against GnuTLS, same site: > % Connected to (unnamed1) using cipher RSA_AES_128_CBC_SHA1. Unfortunately, it can't be compiled against OpenSSL and included in Debian since the licenses conflict. (Which is why it's built against GnuTLS.) It's GPL without any license exception, so such a package would be rejected by Debian ftpmaster. Sadly, upstream was contacted about this in the past and doesn't feel the problem warrants the effort required to correct this, so there's basically no chance that an OpenSSL build will be possible in Debian. Presumably there's some way to make GnuTLS negotiate the correct ciphers, but unfortunately I don't know what it is off-hand, and probably won't have time in the near future to do the necessary research. Patches welcome! -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
