[Ach] Logjam: Missing Debian Stable "Features"

Adi Kriegisch adi at kriegisch.at
Thu May 21 12:21:55 CEST 2015


> Should we actually discourage using Debian stable? ;)
I actually thought about that myself and use nginx from backports
whereever I can (which includes proxying apache on localhost
through nginx)...
This gives all the nice features bettercrypto suggests.
> Regarding logjam, DH recommendations have been in better crypto for a
> while. But if we cross-check the default apache in debian, only the
> April, 25th stable release "Jessie" even allows setting the
> "SSLOpenSSLConfCmd" command...
Correct. Therefor I filed this bug: 
> I remember a similar scenario last year about available openssh ciphers
> and exchanges.
use openssh from backports... even supports ed25519.
What is still missing in backports.d.o is an exim that is linked against a
more recent (available in backports) gnutls. The same applys to openldap &

> I mean: not backporting such "new features" is actually a security risk
> in that context.
Yes. But backporting leaves the risk of doing it wrong or missing bits or
pieces... :-/

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150521/2ccebe3f/attachment.sig>

More information about the Ach mailing list