Rainer, On 5/24/15 3:46 PM, Rainer Jung wrote: > Am 24.05.2015 um 20:10 schrieb Christopher Schultz: >> Rainer, >> >> On 5/23/15 12:03 PM, Rainer Jung wrote: >>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago >>> and will also drop it in Apache 2.2 in the soon to be released next >>> version. >>> >>> I applied a similar change to tcnative trunk and would also like to >>> apply it to 1.1. >> >> +1 >> >>> Note that "drop support" would mean you can no longer enable export >>> ciphers. Even if you do they will simply not get advertised to the >>> client because the code filters them out. This is not just a question of >>> defaults but whether export ciphers should be available or not. >>> >>> The change in question is >>> >>> http://svn.apache.org/r1681147 >>> >>> In the light of the downgrade attacks that were invented I have a >>> tendency to drop support completely. Other opinions? >> >> Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a >> use case where the user really *really* needs to use them. Can we offer >> them the ability to re-enable them? It's okay if it requires a re-build >> of tcnative to do so. >> >> Thanks, >> -chris > > Done in r1681523. I added the configure flag > --enable-insecure-export-ciphers and ported the feature and flag from > trunk to 1.1. > > If people don't like it I can revert (or rename the switch) but it seems > you and Mark are OK with that way.
Perfect! Thanks! -chris
signature.asc
Description: OpenPGP digital signature
