On Sat, 2011-04-16 at 18:05 +0200, Nikos Mavrogiannopoulos wrote: > On 04/16/2011 05:54 PM, Andreas Metzler wrote: > > > thank you for taking the time to test the packages in experimental. I > > can reproduce the bug. > > > > For clarification it is not caused by libgcrypt11 from experimental, > > libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached > > verbose log is not a lot more enlightening. > > d3nwyuy0nl342s.cloudfront.net seems to support only one ciphersuite. > That is ARCFOUR-128 with HMAC-MD5. I disabled HMAC-MD5 from the default > set in 2.12.0 because it is not really trusted as an HMAC any more. > If however this is widespread issue I'll reinstate HMAC-MD5 and > remove it when a real attack is known.
I've seen the issue in quite a few prominent web sites, though the only one I have off the top of my mind currently is github, so I think restoring HMAC-MD5 is probably wise for the time being, for compatibility, indeed. Cheers, -- Gustavo Noronha Silva <k...@debian.org> Debian Project -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
