Package: apache2
Version: 2.2.16-6+squeeze1
Severity: wishlist
Recent versions of of Apache support RFC 2817, which allows HTTP software to
'upgrade' connections from non-encrypted to encrypted status; it is sometimes
referred to StartTLS for HTTP.
http://tools.ietf.org/html/rfc2817
This is toggled by specifying "optional" on the SSLEngine directive:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine
While currently no web browsers support it, I think this is a chicken-and-egg
problem: if no web sites have it, there's not reason for web clients to have
it; if no clients do, then why enable it?
If a web server is willing to server TLS web data from port 443 (HTTPS), then
there's not reason why it shouldn't also allow TLS web data on port 80.
The contents should be akin to the following:
<IfModule mod_ssl.c>
SSLEngine optional
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
</ifModule>
A larger change (perhaps for wheezy) could be to put all certificate
information into a separate area (certs.conf, certs.d/) and use an Include
directive to pull things in. This would allow for only one file to be edited,
and if you have multiple certs on one host (via SNI), it'd allow each one to be
put in a separate file.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
