Re: TLS/SNI status

2009-01-27 Thread Graham Leggett
Joe Orton wrote: Making sure that mod_ssl's existing access control options work correctly in an SNI configuration is the critical item (and has proven to be non-trivial), otherwise it opens up security holes. Kaspar Brand did a bunch of great work on this last year; I have not had time to f

Re: TLS/SNI status

2009-01-27 Thread Joe Orton
On Thu, Jan 22, 2009 at 04:09:25PM +1100, Gervase Markham wrote: > Short version: I am hoping to find out what the problems are with the > trunk version of TLS/SNI, how they can be fixed, and what the chances > are of a backport to 2.2. Making sure that mod_ssl's existing access control options wo

Re: TLS/SNI status

2009-01-22 Thread Ruediger Pluem
On 01/22/2009 12:32 PM, Graham Leggett wrote: > Gervase Markham wrote: > >> Short version: I am hoping to find out what the problems are with the >> trunk version of TLS/SNI, how they can be fixed, and what the chances >> are of a backport to 2.2. > > According to STATUS: > > +1: fuankg

Re: TLS/SNI status

2009-01-22 Thread Peter Sylvester
Gervase Markham wrote: Peter Sylvester wrote: As most of you will know, supporting it in Apache requires changes to OpenSSL (which we funded, and which went into version 0.9.8f) and to the httpd itself. I am certainly not one of those "most". I apologise for the ambiguity; I

Re: TLS/SNI status

2009-01-22 Thread Graham Leggett
Gervase Markham wrote: Short version: I am hoping to find out what the problems are with the trunk version of TLS/SNI, how they can be fixed, and what the chances are of a backport to 2.2. According to STATUS: +1: fuankg +0: like ssl upgrade of 2.2, perhaps this is a good reason t

Re: TLS/SNI status

2009-01-22 Thread Gervase Markham
Peter Sylvester wrote: >> As most of you will know, supporting it in Apache requires changes to >> OpenSSL (which we funded, and which went into version 0.9.8f) and to the >> httpd itself. > I am certainly not one of those "most". I apologise for the ambiguity; I meant to say that most of you w

Re: TLS/SNI status

2009-01-22 Thread Peter Sylvester
Gervase Markham wrote: As most of you will know, supporting it in Apache requires changes to OpenSSL (which we funded, and which went into version 0.9.8f) and to the httpd itself. I am certainly not one of those "most". I am not aware about external funding for the pieces mentioned in the CHA

TLS/SNI status

2009-01-21 Thread Gervase Markham
Hi, Short version: I am hoping to find out what the problems are with the trunk version of TLS/SNI, how they can be fixed, and what the chances are of a backport to 2.2. Long version: The Mozilla project is very interested in the wide and easy use of SSL, and therefore the wide adoption of TLS/S