Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5DBFD104A9 for ; Tue, 5 May 2015 21:31:41 +0000 (UTC) Received: (qmail 38356 invoked by uid 500); 5 May 2015 21:31:41 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 38271 invoked by uid 500); 5 May 2015 21:31:40 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 38261 invoked by uid 99); 5 May 2015 21:31:40 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2015 21:31:40 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: message received from 54.191.145.13 which is an MX secondary for dev@httpd.apache.org) Received: from [54.191.145.13] (HELO mx1-us-west.apache.org) (54.191.145.13) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2015 21:31:34 +0000 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 8BA5D24BE8 for ; Tue, 5 May 2015 21:31:14 +0000 (UTC) Received: from [192.168.0.100] ([87.139.233.65]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MZCxA-1YX7eM1EPE-00L1xB for ; Tue, 05 May 2015 23:31:02 +0200 Message-ID: <55493695.7090507@gmx.de> Date: Tue, 05 May 2015 23:31:01 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Looking ahead to 2.4.13 / 2.2.30 References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K0:z0RsPtNobWtne/0gee7kVZsLVI+MWwrxRprG8ul2ozWrlSl7Tyc sSF95KTmwba8GqJsiPOwnuZFPjii2lGrzAAwIwCNXlyx0fd7+qqsoafm6PCellwWguQhde3 dJDJ4/+OU4cx8tan9nmL/nZoRITvHga81/XnObogE8WkGBQRhTmWbcTw7f6hWDBa15Cxlvq iNTcHPX3oL+x+SHZMkxnQ== X-UI-Out-Filterresults: notjunk:1; X-Virus-Checked: Checked by ClamAV on apache.org On 2015-05-05 15:03, Yann Ylavic wrote: > On Thu, Apr 30, 2015 at 11:52 PM, William A Rowe Jr wrote: >> >> Concerns / observations / thoughts? > > I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327) > for backport to 2.2.x (in reverse order): > > *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer > larger keys and support up to 8192-bit keys. [Ruediger Pluem, > Joe Orton] > > *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by > allowing custom parameters to be configured via SSLCertificateFile, > and by adding standardized DH parameters for 1024/2048/3072/4096 bits. > Unless custom parameters are configured, the standardized parameters > are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] > > *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] > > *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA > keys, and unconditionally disable aNULL, eNULL and EXP ciphers > (not overridable via SSLCipherSuite). [Kaspar Brand] > > or at least partly. > Perhaps it is also a good time do kick SSLv2 support from 2.2.x ;)