httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Thu, 09 Oct 2008 13:37:53 GMT

On Oct 9, 2008, at 5:59 AM, Ian G wrote:

>
>
>> As we all know, this will not be in 2.2.10... Please recall that
>> things must be in -trunk before being viable for backport to 2.2.x.
>
> It's impossible to even express how disappointing this is ;(
>
> There are only two changes in TLS on the server side that have been
> identified to have any effect on phishing [1].  TLS/SNI is the easy  
> one.
>
> A httpd fix will almost work by itself;  the browsers already did
> their part [2].  Only the config changes implemented by all here are
> needed on the web server to turn the LAMPs on in a million small but
> secured sites.
>
> Which makes this the #1 easy fix for security in existing code
> bases, today, and since around 2004 [3].  This massive injection of
> activity will flow through in dozens of ways, e.g., by pulling more
> and more Linux guys into thinking about securing systems.
>
> What are the blockages?  Mozo have offered money but don't know what
> to do or who to talk to?
>

The ASF is not a "for hire" agency. Also, we have a known and
set policy regarding how patches are accepted and then backported
to the release branch. We will not simply "plug in" new stuff
in the 2.2 branch without it getting a good, deep vetting in
trunk.


Mime
View raw message