Your message dated Sun, 24 Jul 2011 19:41:26 +0200
with message-id <201107241941.26390...@sfritsch.de>
and subject line Re: Bug#635271: please enable SSLEngine optional
has caused the Debian Bug report #635271,
regarding please enable SSLEngine optional
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
635271: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635271
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.2.16-6+squeeze1
Severity: wishlist
Recent versions of of Apache support RFC 2817, which allows HTTP software to
'upgrade' connections from non-encrypted to encrypted status; it is sometimes
referred to StartTLS for HTTP.
http://tools.ietf.org/html/rfc2817
This is toggled by specifying "optional" on the SSLEngine directive:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine
While currently no web browsers support it, I think this is a chicken-and-egg
problem: if no web sites have it, there's not reason for web clients to have
it; if no clients do, then why enable it?
If a web server is willing to server TLS web data from port 443 (HTTPS), then
there's not reason why it shouldn't also allow TLS web data on port 80.
The contents should be akin to the following:
<IfModule mod_ssl.c>
SSLEngine optional
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
</ifModule>
A larger change (perhaps for wheezy) could be to put all certificate
information into a separate area (certs.conf, certs.d/) and use an Include
directive to pull things in. This would allow for only one file to be edited,
and if you have multiple certs on one host (via SNI), it'd allow each one to be
put in a separate file.
--- End Message ---
--- Begin Message ---
On Sunday 24 July 2011, David Magda wrote:
> Recent versions of of Apache support RFC 2817, which allows HTTP
> software to 'upgrade' connections from non-encrypted to encrypted
> status; it is sometimes referred to StartTLS for HTTP.
>
> http://tools.ietf.org/html/rfc2817
>
> This is toggled by specifying "optional" on the SSLEngine
> directive:
>
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine
>
> While currently no web browsers support it, I think this is a
> chicken-and-egg problem: if no web sites have it, there's not
> reason for web clients to have it; if no clients do, then why
> enable it?
No, in this case it's not an chicken-and-egg problem. The problem is
that the browser vendors don't want it [1] because it doesn't fit the
way users or web apps request secure connections. And I don't think it
would work over proxies, anyway. Therefore I don't see any value in
enabling this in the default configuration. Closing.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=276813
--- End Message ---