Rainer, On 5/24/15 2:12 PM, Rainer Jung wrote: > Am 24.05.2015 um 18:33 schrieb Mark Thomas: >> On 23 May 2015 17:03:21 BST, Rainer Jung <rainer.j...@kippdata.de> wrote: >>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago >>> and will also drop it in Apache 2.2 in the sonn to be released next >>> version. >>> >>> I applied a similar change to tcnative trunk and would also like to >>> apply it to 1.1. >>> >>> Note that "drop support" would mean you can no longer enable export >>> ciphers. Even if you do they will simply not get advertised to the >>> client because the code filters them out. This is not just a question >>> of >>> defaults but whether export ciphers should be available or not. >>> >>> The change in question is >>> >>> http://svn.apache.org/r1681147 >>> >>> In the light of the downgrade attacks that were invented I have a >>> tendency to drop support completely. Other opinions? >>> >>> Regards, >>> >>> Rainer >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> +1. >> >> From a purely personal perspective I suspect this change will cause >> me more work when I want to enable export ciphers for testing. I'll cope. >> >> For end users I can't see any reason to ever enable these so happy >> from them to go. > > Just to be explicit about expectations: the code in mod_ssl takes the > configured cipher suite string and then *always* prepends > !aNULL:!eNULL:!EXP. So even if you tried to enable via config, it > wouldn't work. So if you really wanted to test with export ciphers, > you'd need to use a custom patched tcnative. It would be really a no > longer support in the extremest sense.
How about: #ifdef(TCNATIVE_ENABLE_EXPORT_CIPHERS) #define PREPEND "!aNULL:!eNULL:" #else #define PREPEND "!aNULL:!eNULL:!EXP:" #end char[] ciphers = ...; char[] effective_ciphers = strcat(PREPEND, ciphers); ? -chris
signature.asc
Description: OpenPGP digital signature
