Re: Diffie-Hellman group parameters 1024 bit and Perfect Forward Secrecy
Hi, As far as I can see, this got no reply yet from an apache dev. Why the silence? Could at least someone comment? On Fri, 28 Jun 2013 09:46:27 +0200 Hanno Böck ha...@hboeck.de wrote: There's been a patch in bugzilla for a while to allow user-defined DH parameters, however it hasn't gotten any attention by apache developers yet: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 To be more precise: - Has anyone with commit permissions reviewed the patch yet? - What needs to happen that it can be committed? I really think this is a relevant security issue that should be worked on. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: [discussion] Release 2.0.65 [the final frontier]
Hi Bill, On 02.07.2013 01:47, wr...@rowe-clan.net wrote: I am not at all concerned whether APR 0.9 is released again or not since folks had years to take that up in our discussions of putting httpd 2.0 to bed, yet nobody so much as suggested a release, nevermind some volunteer to act on it. true; but I thought that most of us probably forgot about that we bundle APR/APU with 2.0.x - like I did; the lack of APR/APU fixes came only to my attention when I was on building the 2.0.65 binaries ... but since nobody else expressed an oppinion about then thats fine, and I shut up. or if you have concurred with the group consensus to let this story end as of Jun 2013. I have. Just did put the NetWare bins up; go ahead and release. Gün.
Re: [discussion] Release 2.0.65 [the final frontier]
Hi, Maybe the simple option is to do the final release with the old/existing bundled APR, but put a foot note in the release notes that the newer APR v1.4.8/1.5.2 has been confirmed to successfully work with 2.0.65. This way it may give confidence to anyone who is stuck on 2.0.x for some reason to use the newer APR/APR-util if needs be. Regards, Mike On 02/07/2013 13:06, Guenter Knauf wrote: Hi Bill, On 02.07.2013 01:47, wr...@rowe-clan.net wrote: I am not at all concerned whether APR 0.9 is released again or not since folks had years to take that up in our discussions of putting httpd 2.0 to bed, yet nobody so much as suggested a release, nevermind some volunteer to act on it. true; but I thought that most of us probably forgot about that we bundle APR/APU with 2.0.x - like I did; the lack of APR/APU fixes came only to my attention when I was on building the 2.0.65 binaries ... but since nobody else expressed an oppinion about then thats fine, and I shut up. or if you have concurred with the group consensus to let this story end as of Jun 2013. I have. Just did put the NetWare bins up; go ahead and release. Gün.
Re: [discussion] Release 2.0.65 [the final frontier]
On Tue, Jul 2, 2013 at 8:53 AM, MikeM michaelm12-asfbugzi...@aquaorange.net wrote: Hi, Maybe the simple option is to do the final release with the old/existing bundled APR, but put a foot note in the release notes that the newer APR v1.4.8/1.5.2 has been confirmed to successfully work with 2.0.65. This way it may give confidence to anyone who is stuck on 2.0.x for some reason to use the newer APR/APR-util if needs be. APR/APR-util 1.x won't work with httpd 2.0.x. Someone continuing to use 2.0.x will need to hand-pick or backport fixes from apr/apr-util 0.9.x or later levels. But then they'll have to backport fixes from httpd too. The line was drawn at slightly different places for httpd vs. apr/apr-util, but the long term picture is the same: There is effort to remain on httpd 2.0.x if you want to pick up any code fixes, and the recommendation is clear. Regards, Mike On 02/07/2013 13:06, Guenter Knauf wrote: Hi Bill, On 02.07.2013 01:47, wr...@rowe-clan.net wrote: I am not at all concerned whether APR 0.9 is released again or not since folks had years to take that up in our discussions of putting httpd 2.0 to bed, yet nobody so much as suggested a release, nevermind some volunteer to act on it. true; but I thought that most of us probably forgot about that we bundle APR/APU with 2.0.x - like I did; the lack of APR/APU fixes came only to my attention when I was on building the 2.0.65 binaries ... but since nobody else expressed an oppinion about then thats fine, and I shut up. or if you have concurred with the group consensus to let this story end as of Jun 2013. I have. Just did put the NetWare bins up; go ahead and release. Gün. -- Born in Roswell... married an alien... http://emptyhammock.com/
Re: [discussion] Release 2.0.65 [the final frontier]
Hi Oh I see - I had not realised this. In that case, I agree that sticking with 0.9.x is the only sensible option at this point in time :) Mike On 02/07/2013 14:35, Jeff Trawick wrote: On Tue, Jul 2, 2013 at 8:53 AM, MikeM michaelm12-asfbugzi...@aquaorange.net mailto:michaelm12-asfbugzi...@aquaorange.net wrote: Hi, Maybe the simple option is to do the final release with the old/existing bundled APR, but put a foot note in the release notes that the newer APR v1.4.8/1.5.2 has been confirmed to successfully work with 2.0.65. This way it may give confidence to anyone who is stuck on 2.0.x for some reason to use the newer APR/APR-util if needs be. APR/APR-util 1.x won't work with httpd 2.0.x. Someone continuing to use 2.0.x will need to hand-pick or backport fixes from apr/apr-util 0.9.x or later levels. But then they'll have to backport fixes from httpd too. The line was drawn at slightly different places for httpd vs. apr/apr-util, but the long term picture is the same: There is effort to remain on httpd 2.0.x if you want to pick up any code fixes, and the recommendation is clear. Regards, Mike On 02/07/2013 13:06, Guenter Knauf wrote: Hi Bill, On 02.07.2013 01:47, wr...@rowe-clan.net mailto:wr...@rowe-clan.net wrote: I am not at all concerned whether APR 0.9 is released again or not since folks had years to take that up in our discussions of putting httpd 2.0 to bed, yet nobody so much as suggested a release, nevermind some volunteer to act on it. true; but I thought that most of us probably forgot about that we bundle APR/APU with 2.0.x - like I did; the lack of APR/APU fixes came only to my attention when I was on building the 2.0.65 binaries ... but since nobody else expressed an oppinion about then thats fine, and I shut up. or if you have concurred with the group consensus to let this story end as of Jun 2013. I have. Just did put the NetWare bins up; go ahead and release. Gün. -- Born in Roswell... married an alien... http://emptyhammock.com/