Re: drop experimental from http2 for 2.4.next?

2017-05-16 Thread Eric Covener
On Mon, Apr 17, 2017 at 4:24 AM, Stefan Eissing
 wrote:
> What needs to be done? From what I saw in the last two years, these
> are key areas to improve:
>
>   1. separation of semantics and serialisation
>   2. connections with >1 requests simultaneously
>
> mod_http need to spin off a mod_http1 with the parts that read
> and write headers, handle chunked encoding in requests
> and responses. etc.
>
> mpm needs facilities for processing slave connections and assign
> its resources to slave/master connections in fair and performant
> ways.
>
> As much as I like to work on it, I am certainly not able to do
> that by myself. So, yes, I welcome getting rid of experimental.


I'm sorry, but can you clarify the relationship between the initial
bit and the welcoming of it not experimental?

-- 
Eric Covener
cove...@gmail.com


Re: svn commit: r1795358 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

2017-05-16 Thread William A Rowe Jr
Backported to 2.2 and 2.4. For additional rational of not changing any
already-configured servers, but preventing new 2.2/2.4 configuration
deployments from supporting 3DES, please see the OpenSSL project's
own observations first, before launching into discussion;

  https://www.openssl.org/blog/blog/2016/08/24/sweet32/



On Tue, May 16, 2017 at 2:33 PM,   wrote:
> Author: wrowe
> Date: Tue May 16 19:33:36 2017
> New Revision: 1795358
>
> URL: http://svn.apache.org/viewvc?rev=1795358=rev
> Log:
> Remove 3DES by default for users of older crypto librarys; the cipher
> has been reclassified in current OpenSSL releases as WEAK due to 112
> or fewer bits of remaining cipher strength, while the Sweet32 disclosure
> extended the criticism of RC4 on to 3DES. (IDEA, which potentially has the
> same issue, is never enabled by default in OpenSSL, due to patent concerns.)
>
> This commit does not change default httpd behavior, but alters the suggested
> behavior of newly provisioned httpd servers. Where adopted, XP with IE8 will
> no longer handshake with mod_ssl (previously, XP with IE6 would not 
> handshake.)
> The same net effect occurs where OpenSSL is updated to 1.1.0.
>
> Modified:
> httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
>
> Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1795358=1795357=1795358=diff
> ==
> --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
> +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Tue May 16 19:33:36 
> 2017
> @@ -49,8 +49,8 @@ Listen @@SSLPort@@
>  #   ensure these follow appropriate best practices for this deployment.
>  #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP 
> ciphers,
>  #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
> -SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
> -SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
> +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
> +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
>
>  #  By the end of 2016, only TLSv1.2 ciphers should remain in use.
>  #  Older ciphers should be disallowed as soon as possible, while the
>
>