Package: release.debian.org User: [email protected] Usertags: pu Severity: normal
Hi, I would like to see apache in stable support ECDHE. This was added somewhere in a 2.3 version and so only part of a stable release in 2.4. The reason I want to see is ECDHE is that we want (Perfect) Forward Secrecy (PFS). Apache supports with with DHE, but DHE has some problems: - It's much slower than an RSA key exchange. ECDHE on the other had is much faster than DHE. - apache 2.2 only supports 1024 bit DH keys. It might be configurable in later versions. We really want to see 2048 bit DH keys. The number of 1024 bit certificates itself has already been reduced to about 1.5%, so the DH key then becomes the weakest point in chain. However many of the client can't handle keys that are larger than 1024. With ECDHE a 256 bit key would be enough and all clients I know about that support ECDHE support at least 256 bits. ECDHE also has a known broken implementation. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. Stats from mozilla show that about 8.4% of the ciphers the browser negiotates since the put ECDHE on top of their prefered list is using ECDHE-ECDSA. They see about 23.5% with ECDHE support. This at least gives the impression that about 35% of the sites would want to use ECDHE-ECDSA, but it might also be a few sites that have lots of traffic. (The rest would use ECDHE_RSA.) I have no better stats for this, but it's clearly something we need to take into account. OpenSSL has added support to try and detect this broken version and avoid selecting the ECDHE-ECDSA in that case, but that detection is currently not in wheezy, but it did just make it to jessie. Adding ECDHE support in apache will probably require backporting the patches for that. I'm not sure how much work that is going to be and wether someone like redhat might have already done that. Before I put more time in this, I would like to known if you will consider such a change in a stable release update. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
