On Fri, 2016-01-01 at 18:08 +0000, Adam D. Barratt wrote:
> On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> > I attached a new debdiff with a more meaningful changelog.
> > +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> > +
> > + * Upstream bugfix release
> > + * Fix for path traversal bug in directory listing mode
> > + * SSL hardening (prefer TLS1.2/TLS1)
> + # choose TLS1.2 or TLS1, if available
> + sslMethod = None
> + if hasattr(SSL, "TLSv1_2_METHOD"):
> + sslMethod = SSL.TLSv1_2_METHOD
> + elif hasattr(SSL, "TLSv1_METHOD"):
> + sslMethod = SSL.TLSv1_METHOD
> Why is TLS1.1 explicitly avoided here? Might it make more sense to
> TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server
> the highest mutually-supported protocol?
The above mail was sent nearly 2.5 years ago, and there's been no
follow-up. The window for getting fixes into jessie before it becomes
LTS closes during the coming weekend.