Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 152B5200C68 for ; Wed, 3 May 2017 10:03:55 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 13C38160BB5; Wed, 3 May 2017 08:03:55 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 33767160BAA for ; Wed, 3 May 2017 10:03:54 +0200 (CEST) Received: (qmail 9359 invoked by uid 500); 3 May 2017 08:03:53 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 9348 invoked by uid 99); 3 May 2017 08:03:53 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 May 2017 08:03:53 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id C77DC1901F7 for ; Wed, 3 May 2017 08:03:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.899 X-Spam-Level: ** X-Spam-Status: No, score=2.899 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=3, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=beamartyr.net Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id uMp-yYTCFhAB for ; Wed, 3 May 2017 08:03:48 +0000 (UTC) Received: from mail1.mirimar.net (unknown [134.119.223.40]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id DBF295FB29 for ; Wed, 3 May 2017 08:03:47 +0000 (UTC) Received: from [172.17.36.219] (odap-199-203-61-119.bb.netvision.net.il [199.203.61.119]) (authenticated bits=0) by mail1.mirimar.net (8.14.4/8.14.4/Debian-2ubuntu2.1) with ESMTP id v4383cp7032618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 3 May 2017 10:03:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=beamartyr.net; s=mail; t=1493798621; bh=m5dm5RlWywJgdJdgx/N/GPauORPpn3QCalKnVxzsurU=; h=Subject:To:References:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=zLhHKn9T5NCq0nar/4aG0X4P6JlRTIZjftxhcG6q86feV0T4kPQ1bARgiIbOd/N6g 0QiFzUT5mFjSweePFh711sSCweG5BKdYhVLAe+XhC+qWSYuo7MFdejfph5OI8vIXAa AWG/zX3vsf4C+x4EMRdkKcHOwoEyGyJqxGjreqA8= Subject: Re: SSL and Usability and Safety To: dev@httpd.apache.org References: From: Issac Goldstand Message-ID: <6801e32f-0cbb-8c6e-f902-57f6a49698ba@beamartyr.net> Date: Wed, 3 May 2017 11:03:38 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit archived-at: Wed, 03 May 2017 08:03:55 -0000 +1 on the idea So far I'm -0 about all of the proposed implementations for 2 reasons: 1) Mr and Mrs normal (whom are our primary customers in the original proposal) usually download Apache from their distro or some other binary. Their Apache sources are usually not up-to-date, and in the scenario that a new vulnerability is found it would take ages to propagate to them, anyway 2) For those users who are comfortable building their own source, they run into our PMCs release timing. What happens if a vulnerability is released, we quickly backport from trunk[1] to whatever branches are needed based on what's up-to-date and we want to release said old branches? Suddenly, we realize that one (or more) of these old branches have changes unrelated to the vulnerability and we erupt into days or weeks of constructive arguments on the merit of these other changes to be released? What would work, in my eyes, if people are open to it, is treating the contents of these definitions/macros (and I'm all for the macros, just so that interested sysadmins can see *exactly* what the settings are on their setup) as apart from the httpd sources, and thus not subject to the normal release cycle. To clarify, I mean the httpd tarball release cycles specifically, not our policies for how we perform and vote on the releases (although we'd need to come to agreement on how to allow for quick releases in the face of security issues, so a 3 day vote followed by release may not work). Instead, we could do something similar to the spamassassin project does with their base rules, where we have external tooling (or internal tooling, if it's preferred) fetch the up-to-date definitions from an ASF mirror server on a regular basis and override the local definitions. Best, Issac [1] and this assumes we'd be keeping these configs in trunk, which is kinda backwards IMHO, given that trunk by definition is stuff with potential to release at some point in the future, whereas these configs are our published best-practice for *now* On 5/3/2017 4:11 AM, Daniel Ruggeri wrote: > I actually was going to respond in a similar way by proposing the use of > files that could be Included. I really like this idea for all the > reasons mentioned - the biggest being that it's trivial for a SecAdmin > or WebAdmin to see what is in the Included file and its macros and what > gets applied. I am also in support of regularly evolving the values > because an admin making use of them is aware that they are delegating > responsibility to us or their package vendor. The downside (which may no > longer be valid - haven't looked in ages) is that I think Includes and > Macros confuse line numbers in error messages. > -- > Daniel Ruggeri > > ------------------------------------------------------------------------ > *From:* Jacob Champion > *Sent:* May 2, 2017 5:48:34 PM CDT > *To:* dev@httpd.apache.org > *Subject:* Re: SSL and Usability and Safety > > On 05/02/2017 02:10 PM, Eric Covener wrote: > > I think to be useful, reasonable SSL defaults have to be subject to > change in maintenance (and over-rideable) > > > So... this got me thinking. If we put this new "stuff" (whatever it > turns out to be) into a new directive, > > - part of its operation gets tied to source code that's hidden from the > end user > - we'll probably have to duplicate some SSL directive logic in the module > - we have to figure out the merge/conflict scenarios, which -- while > definitely worthwhile in the long term -- feels likely to add complexity > to the short-term discussion > > If all of the settings that are part of this new directive can be > described in terms of other already-existing directives, could we > implement it as a server-owned Macro? > > - their implementation is public and auditable by anyone who understands > the config syntax > - they can be easily patched for vulnerabilities without recompiling > anything > - merge/conflict resolution will follow the individual directives' > current merge logic (whatever that happens to be) > > We could reserve a macro prefix (or symbol) for the server and its > modules so that we don't step on anyone with future expansion. Then it's > just a matter of > > Include macros/ssl.conf > > Use !SslIntermediateSecuritySettings > > We'd have to be very explicit that the macro definitions belong to the > server distribution, and installing a newer (or older) version of the > server would overwrite whatever changes you'd made to those macro files. > > Thoughts? > > --Jacob >