httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Sun, 05 Jan 2014 14:09:08 GMT
On 05/01/2014 09:00, Kaspar Brand wrote:
> On 03.01.2014 23:51, Dr Stephen Henson wrote:
>> On 28/12/2013 13:34, Kaspar Brand wrote:
>>> FYI: in r1553824 (which I just committed to trunk), I'm now manually
>>> shuffling things around to support per-cert chains - but would happily
>>> drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide
>>> to adapt SSL_CTX_use_certificate_chain_file in 1.0.2.
>>>
>>
>> Now done for OpenSSL master and 1.0.2 branches.
> 
> Thanks, I have removed the code in r1555463 therefore. Assuming that the
> release of 1.0.2 isn't too far away by now, I have added a backport
> proposal for 2.4.x. Votes/reviews welcome. (And while I have your
> attention: could you perhaps have a look at OpenSSL's PRs #3178 and
> #3183? Both would help in improving SNI-based configurations.)
> 

OK I'll have a look at those.

One the subject of 1.0.2 would it be appropriate to set auto ecdh parameter
selection as the default in mod_ssl where supported? As things stand one single
curve can be set (with default P-256) and it's an all or nothing choice, with
auto parameter selection the highest priority curve supported by both sides is used.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message