httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: [VOTE] Release Apache httpd 2.4.7 as GA
Date Tue, 19 Nov 2013 23:25:56 GMT
+1

sorry for the noise, the default seems to be changed to 2048

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS		128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS		128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)      DH 2048 bits (p: 256, g: 1, Ys: 256)   FS		128

indeed i missed:
DH parameter interoperability with primes > 1024 bit
Beginning with version 2.4.7, mod_ssl makes use of standardized DH parameters with prime lengths
of 2048, 3072 and
4096 bits (from RFC 3526), and hands them out to clients based on the length of the certificate's
RSA/DSA key. With
Java-based clients in particular (Java 7 or earlier), this may lead to handshake failures
- see this FAQ answer for
working around such issues.

Am 20.11.2013 00:12, schrieb Reindl Harald:
> 
> Am 19.11.2013 18:45, schrieb Jim Jagielski:
>> The pre-release test tarballs for Apache httpd 2.4.7 can be found
>> at the usual place:
>>
>> http://httpd.apache.org/dev/dist/
>>
>> I'm calling a VOTE on releasing these as Apache httpd 2.4.7 GA.
>>
>> [ ] +1: Good to go
>> [ ] +0: meh
>> [ ] -1: Danger Will Robinson. And why.
>>
>> Vote will last the normal 72 hrs.
>>
>> NOTE: The *-deps are only there for convenience
> 
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
> still not included and patches for 2.4.6 flying around no longer matching
> 
> [root@srv-rhsoft:~]$ apachectl -t
> AH00526: Syntax error on line 20 of /etc/httpd/conf/httpd-ssl.conf:
> Invalid command 'SSLDHParametersFile', perhaps misspelled or defined...............
> 
> because the original patch is more than a year old and https://www.ssllabs.com/ssltest/
> gives you 5 additional points for a 2048 bit DHE key -1 from me


Mime
View raw message