httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Thu, 09 Oct 2008 11:18:38 GMT
On Thu, Oct 9, 2008 at 5:59 AM, Ian G <iang@iang.org> wrote:
>
>
>> As we all know, this will not be in 2.2.10... Please recall that
>> things must be in -trunk before being viable for backport to 2.2.x.
>
> It's impossible to even express how disappointing this is ;(
>
> There are only two changes in TLS on the server side that have been
> identified to have any effect on phishing [1].  TLS/SNI is the easy one.

What's the effect beyond making mass-vhosting easier?

>
> A httpd fix will almost work by itself;  the browsers already did
> their part [2].  Only the config changes implemented by all here are
> needed on the web server to turn the LAMPs on in a million small but
> secured sites.

There's still the issue of certificates and CPU time.

>
> What are the blockages?  Mozo have offered money but don't know what
> to do or who to talk to?

Review has been public.  Nobody's opposed to SNI in the webserver, but
AIUI the patch that implements it seems to have a troubled history
with respect to integrating with all the per-directory quriks of SSL
renegotiation in mod_ssl.

IMO the merits of SNI isn't the operative argument.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message