httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Sun, 05 Jan 2014 14:09:08 GMT
On 05/01/2014 09:00, Kaspar Brand wrote:
> On 03.01.2014 23:51, Dr Stephen Henson wrote:
>> On 28/12/2013 13:34, Kaspar Brand wrote:
>>> FYI: in r1553824 (which I just committed to trunk), I'm now manually
>>> shuffling things around to support per-cert chains - but would happily
>>> drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide
>>> to adapt SSL_CTX_use_certificate_chain_file in 1.0.2.
>> Now done for OpenSSL master and 1.0.2 branches.
> Thanks, I have removed the code in r1555463 therefore. Assuming that the
> release of 1.0.2 isn't too far away by now, I have added a backport
> proposal for 2.4.x. Votes/reviews welcome. (And while I have your
> attention: could you perhaps have a look at OpenSSL's PRs #3178 and
> #3183? Both would help in improving SNI-based configurations.)

OK I'll have a look at those.

One the subject of 1.0.2 would it be appropriate to set auto ecdh parameter
selection as the default in mod_ssl where supported? As things stand one single
curve can be set (with default P-256) and it's an all or nothing choice, with
auto parameter selection the highest priority curve supported by both sides is used.

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message