On 25/05/2015 13:05, Christopher Schultz wrote: > Rainer, > > On 5/24/15 3:46 PM, Rainer Jung wrote: >> Am 24.05.2015 um 20:10 schrieb Christopher Schultz: >>> Rainer, >>> >>> On 5/23/15 12:03 PM, Rainer Jung wrote: >>>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago >>>> and will also drop it in Apache 2.2 in the soon to be released next >>>> version. >>>> >>>> I applied a similar change to tcnative trunk and would also like to >>>> apply it to 1.1. >>> >>> +1 >>> >>>> Note that "drop support" would mean you can no longer enable export >>>> ciphers. Even if you do they will simply not get advertised to the >>>> client because the code filters them out. This is not just a question of >>>> defaults but whether export ciphers should be available or not. >>>> >>>> The change in question is >>>> >>>> http://svn.apache.org/r1681147 >>>> >>>> In the light of the downgrade attacks that were invented I have a >>>> tendency to drop support completely. Other opinions? >>> >>> Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a >>> use case where the user really *really* needs to use them. Can we offer >>> them the ability to re-enable them? It's okay if it requires a re-build >>> of tcnative to do so. >>> >>> Thanks, >>> -chris >> >> Done in r1681523. I added the configure flag >> --enable-insecure-export-ciphers and ported the feature and flag from >> trunk to 1.1. >> >> If people don't like it I can revert (or rename the switch) but it seems >> you and Mark are OK with that way. > > Perfect! Thanks!
Agreed. +1 from me to. Thanks. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
