ere is no way to fall back to
the old unreliable mechanism if you want to have it secure.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
rnResponderErrors. Unless I'm missing something I
don't see any situation in which stapling OCSP errors is desirable.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
don't want to give contact info on
a public mailing list.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
's an
effort to improve the situation.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
omeone has yet
to show that they are abused in practice. But preventing deployment of a
new compression algorithm doesn't help. You'd have to disable
compression altogether to avoid them.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
+ (setting[4] == '1' && setting[5] > '7') ||
setting[6] != '$') {
__set_errno(EINVAL);
return NULL;
Attached a patch for apr trunk with this change and a patch for the
I haven't used apache 2.2, but isn't OCSP stapling support still
missing there?
I think if you're already working on backporting important TLS features
that should certainly go with them.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpNXAgtjh1Er.
be increased. (AH01929 will be logged.)
Could this be made a bit more precise?
What's "more than a few certificates"? Preferrably there should be some
rough calculation (certs*Xkb) that gives a safe margin for the space.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha
seems to be an inofficial git repo:
https://github.com/eousphoros/mod-spdy
It builds and I can load and enable it, but it doesn't work (can't
connect any more to https sites when I enable it).
So what's the reference place of spdy support for apache? Is there any
active develop
ut of the box.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
essful). The backport proposal then needs
> consensus approval, as explained under
> http://httpd.apache.org/dev/guidelines.html, so at least two +1 from
> other devs are needed as well.
I'm not an apache dev, but you get +1 from me for backporting :-)
Hanno
--
Hanno Böck
http:/
ad.
Thanks a lot that there's finally some movement here.
What needs to happen so this can be backported to 2.4? Regarding the
discussion on ietf-tls happening right now, it'd be a good signal if
apache would support larger DH parameters soon.
--
Hanno Böck
http://hboeck.de/
mail/
unning on an experimental server and it works
for me)
Both in the bug report and in the thread in June there was zero feedback
from any of the apache devs.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
Hi,
As far as I can see, this got no reply yet from an apache dev. Why the
silence? Could at least someone comment?
On Fri, 28 Jun 2013 09:46:27 +0200
Hanno Böck wrote:
> There's been a patch in bugzilla for a while to allow user-defined DH
> parameters, however it hasn't gott
es.apache.org/bugzilla/show_bug.cgi?id=49559
I'd like to ask apache devs to raise some attention to this issue. I
think user-defined dh groups would be a good thing, but probably the
default should also be raised to e.g. 2048 bit.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...
think this really deserves a fast new release.
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de
http://schokokeks.org - professional webhosting
signature.asc
Description: This is a digitally signed message part.
16 matches
Mail list logo