I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
for backport to 2.2.x (in reverse order):
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys. [Ruediger Pluem,
Joe Orton]
*) mod_ssl: Improve handling of
Possible backport patch attached.
On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic wrote:
> I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
> for backport to 2.2.x (in reverse order):
>
> *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
> larger keys and su
Please note that the primes constants in modules/ssl/ssl_engine_dh.c
are from openssl/crypto/bn/bn_const.c.
FWIW, attached is a (stripped) diff between the two files that shows
constants are the same...
On Tue, May 5, 2015 at 7:12 PM, Yann Ylavic wrote:
> Possible backport patch attached.
>
> On
I haven't used apache 2.2, but isn't OCSP stapling support still
missing there?
I think if you're already working on backporting important TLS features
that should certainly go with them.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpNXAgtjh1Er.pgp
Description:
On Tue, May 5, 2015 at 3:06 PM, Hanno Böck wrote:
> I haven't used apache 2.2, but isn't OCSP stapling support still
> missing there?
>
> I think if you're already working on backporting important TLS features
> that should certainly go with them.
My own line for 2.2 would be drawn somewhere bet
On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic wrote:
>
> *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
> allowing custom parameters to be configured via SSLCertificateFile,
> and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
> Unless custom param
