On Tue, May 5, 2015 at 3:19 AM, wrote:
> Author: wrowe
> Date: Tue May 5 01:19:20 2015
> New Revision: 1677721
>
> URL: http://svn.apache.org/r1677721
[]
> Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/doc
On Thu, Apr 30, 2015 at 11:52 PM, William A Rowe Jr wrote:
>
> Concerns / observations / thoughts?
I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
for backport to 2.2.x (in reverse order):
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys a
On Tue, May 5, 2015 at 9:03 AM, Yann Ylavic wrote:
> But is there real 2.2.x user with OpenSSL < 0.9.8a?
I'm no expert (we use a proprietary toolkit and SSL module where I
spend most of my time), but that seems like quite an extreme thing to
preserve in 2.2.x. Maybe worth a separate thread thoug
I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
for backport to 2.2.x (in reverse order):
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys. [Ruediger Pluem,
Joe Orton]
*) mod_ssl: Improve handling of
On Tue, May 5, 2015 at 3:08 PM, Eric Covener wrote:
> On Tue, May 5, 2015 at 9:03 AM, Yann Ylavic wrote:
>> But is there real 2.2.x user with OpenSSL < 0.9.8a?
>
> I'm no expert (we use a proprietary toolkit and SSL module where I
> spend most of my time), but that seems like quite an extreme thi
On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic wrote:
> On Tue, May 5, 2015 at 3:19 AM, wrote:
>> Author: wrowe
>> Date: Tue May 5 01:19:20 2015
>> New Revision: 1677721
>>
>> URL: http://svn.apache.org/r1677721
> []
>> Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
>> URL:
On Tue, May 5, 2015 at 8:08 AM, Eric Covener wrote:
> On Tue, May 5, 2015 at 9:03 AM, Yann Ylavic wrote:
> > But is there real 2.2.x user with OpenSSL < 0.9.8a?
>
> I'm no expert (we use a proprietary toolkit and SSL module where I
> spend most of my time), but that seems like quite an extreme t
On Tue, May 5, 2015 at 11:26 AM, William A Rowe Jr
wrote:
>
> openssl ciphers -v 'ALL:!HIGH:!MEDIUM' | grep exp
>
After further scrutiny...
openssl ciphers -v 'ALL:!HIGH:!MEDIUM:!LOW' | grep exp
export falls under 'none of the above'.
On Tue, May 5, 2015 at 6:26 PM, William A Rowe Jr wrote:
> On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic wrote:
>> On Tue, May 5, 2015 at 3:19 AM, wrote:
>
>>> +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>
>>> +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
>
>> There possibly should be "
Possible backport patch attached.
On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic wrote:
> I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
> for backport to 2.2.x (in reverse order):
>
> *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
> larger keys and su
On Tue, May 5, 2015 at 12:06 PM, Yann Ylavic wrote:
> On Tue, May 5, 2015 at 6:26 PM, William A Rowe Jr
> wrote:
> > On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic
> wrote:
> >> On Tue, May 5, 2015 at 3:19 AM, wrote:
> >>
> >> Also I'd suggest removing RC4 from the latter suite, it is not
> >> c
On Tue, May 5, 2015 at 1:28 PM, William A Rowe Jr wrote:
> Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> but will be, soon enough).
>
> While I agree md4 is less desirable, if we were going to make a
> recommendation,
> I'd go with favoring aes128 over md4 but retain m
On Tue, May 5, 2015 at 12:35 PM, Eric Covener wrote:
> On Tue, May 5, 2015 at 1:28 PM, William A Rowe Jr
> wrote:
> > Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> > but will be, soon enough).
> >
> > While I agree md4 is less desirable, if we were going to make a
>
On Tue, May 5, 2015 at 7:28 PM, William A Rowe Jr wrote:
>
> Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> but will be, soon enough).
On my box with AES-NI disabled:
$ openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 14536333 aes-128 cbc's in 3.00
Please note that the primes constants in modules/ssl/ssl_engine_dh.c
are from openssl/crypto/bn/bn_const.c.
FWIW, attached is a (stripped) diff between the two files that shows
constants are the same...
On Tue, May 5, 2015 at 7:12 PM, Yann Ylavic wrote:
> Possible backport patch attached.
>
> On
I haven't used apache 2.2, but isn't OCSP stapling support still
missing there?
I think if you're already working on backporting important TLS features
that should certainly go with them.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpNXAgtjh1Er.pgp
Description:
On Tue, May 5, 2015 at 3:06 PM, Hanno Böck wrote:
> I haven't used apache 2.2, but isn't OCSP stapling support still
> missing there?
>
> I think if you're already working on backporting important TLS features
> that should certainly go with them.
My own line for 2.2 would be drawn somewhere bet
On 2015-05-05 15:03, Yann Ylavic wrote:
> On Thu, Apr 30, 2015 at 11:52 PM, William A Rowe Jr
> wrote:
>>
>> Concerns / observations / thoughts?
>
> I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
> for backport to 2.2.x (in reverse order):
>
> *) mod_ssl: Fix tmp DH para
On May 5, 2015 4:31 PM, "olli hauer" wrote:
>
> Perhaps it is also a good time do kick SSLv2 support from 2.2.x ;)
We are deliberately not that disruptive to users. Our goal is to push more
secure code at users, but not at the risk of their electing to not update,
due to such blunt force. A sub
19 matches
Mail list logo
