Re: SSL/TLS best current practice

2015-05-06 Thread William A Rowe Jr
On May 6, 2015 9:09 PM, "William A Rowe Jr" wrote: > > > On May 6, 2015 8:12 PM, "Noel Butler" wrote: > > > > On 07/05/2015 09:22, William A Rowe Jr wrote: > >> > >> > >> For trunk, I propose we drop TLSv1 and TLSv1.1 protocols and simply adopt the recommended cipher list illustrated below (!SSLv

Re: SSL/TLS best current practice

2015-05-06 Thread William A Rowe Jr
On May 6, 2015 8:12 PM, "Noel Butler" wrote: > > On 07/05/2015 09:22, William A Rowe Jr wrote: >> >> >> For trunk, I propose we drop TLSv1 and TLSv1.1 protocols and simply adopt the recommended cipher list illustrated below (!SSLv3) in the default extra/httpd-ssl.conf source, following the SHOULD

Re: SSL/TLS best current practice

2015-05-06 Thread Noel Butler
On 07/05/2015 09:22, William A Rowe Jr wrote: > For trunk, I propose we drop TLSv1 and TLSv1.1 protocols and simply adopt the > recommended cipher list illustrated below (!SSLv3) in the default > extra/httpd-ssl.conf source, following the SHOULD recommendations. unless trunk is for the 2.6

Re: Solving mutex concerns with OCSP stapling

2015-05-06 Thread Jeff Trawick
On 05/03/2015 09:58 PM, Jeff Trawick wrote: Your thoughts on the following? Current OCSP behavior that I think needs to be fixed: mod_ssl holds the single stapling global mutex when looking up a cached entry, deserializing it, checking validity, and (when missing/expired) communicating with

Re: Balancer manager

2015-05-06 Thread Daniel Ruggeri
(oops - saw this sitting int he outbox for the past week - sorry for slow reply) These were the notes I took. I was going to start biting them off after I wrapped up splitting/editing the recordings from the ACNA talks: *Ensuring all stats showed up on the page (I don't recall if any stuck out tha

Re: SSL/TLS best current practice

2015-05-06 Thread William A Rowe Jr
Here is my proposed global config for httpd.conf.in for 2.4 and 2.2, which I believe mirrors the 'MUST' of RFC 7525. This includes restoring the SSLProtocol -SSLv3 for 2.4 so that it is plainly visible, irrespective of system defaults. For trunk, I propose we drop TLSv1 and TLSv1.1 protocols and s

Re: Proposal/RFC: "informed" load balancing

2015-05-06 Thread Sudheer Vinukonda
A few comments (mainly on the proposal to piggy-back the load info header in the responses) : *) The mechanism may not work in certain setups of the SLB (e.g DSR)*) For TLS, I presume this proposal assumes that the connections are terminated at the SLB layer?*) How does the proposal apply to new

SSL/TLS best current practice

2015-05-06 Thread Steffen
Maybe already known. The SSL/TLS best current practice RFC has been approved : https://www.rfc-editor.org/rfc/rfc7525.txt Steffen