On Tue 2015-06-09 13:43:59 -0400, Roy T. Fielding wrote:
> WRT renegotiation, it is fair to say that the WG punted on the idea
> due to lack of time. If someone figures out a way to safely
> renegotiate an h2 connection (and all of its streams), then go ahead
> and implement it, describe it in an
On 08/05/2014 09:06 PM, Simo Sorce wrote:
> Yeah I know it is broken, does it mean you want to have it disabled and
> return an error if requested until a fixed openssl library/call is
> available ?
Not only did i not have a concrete proposal, I don't have any particular
say in the matter -- i'm n
On 08/05/2014 06:24 PM, Simo Sorce wrote:
> I have been working for a little while on making it possible to use
> channel bindings within an Apache server.
> In order to do that some support to extract information form the TLS
> layer is necessary in the server.
This is great idea, but be aware t
On 04/22/2014 08:57 AM, Ligade, Shailesh [USA] wrote:
> I think by default, the certificate hint list asks for client authentication
> certificates. Is there any configuration option to ask for different types of
> certificates? e.g. signing or encryption certificates?
In TLS, the client's secr
On 04/18/2014 08:34 AM, Falco Schwarz wrote:
> As of httpd-2.4.7 the strength of DH temp keys is determined by the private
> key's bit length. I recently noticed the following behavior (using
> httpd-2.4.9 and openssl-1.0.2-beta2-dev):
>
> I am using multiple certificates for one VHost (ECC and RS
On 04/14/2014 07:08 AM, Jeff Trawick wrote:
> (not to say there aren't complications, like trying to keep system
> directories out of rpath)
I think that you're asking for mod_ssl to add an openssl-specific
directory to its rpath.
in general, i would discourage this; at the least, it needs to be
On Sun 2014-02-09 02:15:37 -0500, Kaspar Brand wrote:
> On 07.02.2014 01:58, Daniel Kahn Gillmor wrote:
>> As part of the goal of dropping encrypted private key support, have you
>> considered using an agent-based framework for private keys?
>
> I haven't, no, since a
On 03/27/2014 12:37 PM, Rob Stradling wrote:
> On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
>
>> it doesn't even need to fetch the certificate itself, it could just make
>> the big noisy error log say "you should fetch the cert from and
>> append it to &qu
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
> HPKP can never work this way. Pin validation is always done on top of
> normal TLS validation and can only invalidate an otherwise valid connection
> and never the other way around. Otherwise I could trivially hijack
> connections by pinning sites to a
On 03/26/2014 11:29 AM, Emilia Kasper wrote:
> Cross-signing happens all the time but afaik the other way around, i.e., an
> intermediate Y' corresponding to a _newer_ root cert Y is cross-signed by
> some _older_ root cert Z. So an old client would usually know only Z and a
> newer client would kn
On 03/26/2014 07:11 AM, Emilia Kasper wrote:
> The patch fixes a) by sanity-checking the chain and chopping self-signed
> roots. I believe it's harmless to turn on by default as the rebuild step
> will either yield a valid chain or preserve the original configuration.
I like this suggestion. with
On 02/18/2014 08:14 AM, Pavel Matěja wrote:
> There is one big risk when someone uses reverse HTTPS proxy with ServerAlias.
>
> Let say you have on both - backend and proxy servers options:
> ServerName www.example.com
> ServerAlias example.com
>
> In old non-SNI days everything was working just
Hi, i'm trying to revive mod_gnutls and bring it up to date with current
apache module practices, and i'd like to use apache 2.4's mod_auth
framework for user authentication via client-side certificates. i'm
limiting the scope of this question to authentication because i do not
have a good use cas
On 02/05/2014 02:44 AM, Kaspar Brand wrote:
> On 05.02.2014 08:25, Brian Smith wrote:
>> It would be possible for a server to fetch and staple the OCSP
>> response only using the information from the server's end-entity
>> certificate.
>
> Actually no - you can't properly fill in the CertID for th
On 02/06/2014 12:35 AM, Kaspar Brand wrote:
> On 05.02.2014 18:13, Falco Schwarz wrote:
>> Kaspar, I ran into another issue when using an encrypted private key and
>> "SSLOpenSSLConfCmd PrivateKey".
>> Again it fails to load the encrypted private key with the following errors:
>
> That's by desig
On 12/31/2013 01:19 PM, Graham Leggett wrote:
> It is also a statement of what keys have historically been used to sign past
> artifacts, and that is just as important.
These are distinct things, though. It would be great if the apache
project could separately identify which keys are going to be
On 12/26/2013 06:18 PM, Nick Kew wrote:
> You're ahead of us. Individual Apache folks like Jim have taken
> responsibility and moved to 4096-bit keys, but we haven't as a
> community had the discussion that might lead to pruning KEYS.
> My inclination is to say NO to requiring anyone to remove old
Hi apache folks--
In http://bugs.debian.org/732450, debian is preparing to
cryptographically verify OpenPGP signatures on apache upstream tarballs.
As part of the dicsussion, it's become clear that some of the keys in
https://www.apache.org/dist/httpd/KEYS are weak by any modern
consideration of
Hi Apache folks--
Just a heads-up to let you know that i've requested a CVE for
mod_fcgid's 2.3.6 (the current release) due to possible DoS based on the
module not respecting administrator-configured limits:
http://www.openwall.com/lists/oss-security/2012/03/15/10
The issue is fixed in r103
19 matches
Mail list logo
