Am 24.05.2015 um 20:10 schrieb Christopher Schultz:
Rainer,
On 5/23/15 12:03 PM, Rainer Jung wrote:
mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
and will also drop it in Apache 2.2 in the soon to be released next
version.
I applied a similar change to tcnative trunk and would also like to
apply it to 1.1.
+1
Note that "drop support" would mean you can no longer enable export
ciphers. Even if you do they will simply not get advertised to the
client because the code filters them out. This is not just a question of
defaults but whether export ciphers should be available or not.
The change in question is
http://svn.apache.org/r1681147
In the light of the downgrade attacks that were invented I have a
tendency to drop support completely. Other opinions?
Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a
use case where the user really *really* needs to use them. Can we offer
them the ability to re-enable them? It's okay if it requires a re-build
of tcnative to do so.
Thanks,
-chris
Done in r1681523. I added the configure flag
--enable-insecure-export-ciphers and ported the feature and flag from
trunk to 1.1.
If people don't like it I can revert (or rename the switch) but it seems
you and Mark are OK with that way.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
