Am 25.05.2015 um 14:05 schrieb Christopher Schultz:
Rainer,
On 5/24/15 2:12 PM, Rainer Jung wrote:
Am 24.05.2015 um 18:33 schrieb Mark Thomas:
On 23 May 2015 17:03:21 BST, Rainer Jung <rainer.j...@kippdata.de> wrote:
mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
and will also drop it in Apache 2.2 in the sonn to be released next
version.
I applied a similar change to tcnative trunk and would also like to
apply it to 1.1.
Note that "drop support" would mean you can no longer enable export
ciphers. Even if you do they will simply not get advertised to the
client because the code filters them out. This is not just a question
of
defaults but whether export ciphers should be available or not.
The change in question is
http://svn.apache.org/r1681147
In the light of the downgrade attacks that were invented I have a
tendency to drop support completely. Other opinions?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
+1.
From a purely personal perspective I suspect this change will cause
me more work when I want to enable export ciphers for testing. I'll cope.
For end users I can't see any reason to ever enable these so happy
from them to go.
Just to be explicit about expectations: the code in mod_ssl takes the
configured cipher suite string and then *always* prepends
!aNULL:!eNULL:!EXP. So even if you tried to enable via config, it
wouldn't work. So if you really wanted to test with export ciphers,
you'd need to use a custom patched tcnative. It would be really a no
longer support in the extremest sense.
How about:
#ifdef(TCNATIVE_ENABLE_EXPORT_CIPHERS)
#define PREPEND "!aNULL:!eNULL:"
#else
#define PREPEND "!aNULL:!eNULL:!EXP:"
#end
char[] ciphers = ...;
char[] effective_ciphers = strcat(PREPEND, ciphers);
?
I was undecided, whether the configure flag should allow only export or
export plus null, and whether the meaning of the flag has to go into
flag and define name or would be enough in the help message.
I went with "flag reenables export and null" to allow full debug/test
scenarios but with names of flag and define only referring to export (to
keep them shorter), putting the "null" only in the help message for the
flag.
I didn't want to simply name the flag --enable-insecure-ciphers, because
that would indicate, that the projects by default has disabled all
insecure ciphers, which would be hard to do and to keep up to date.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
