On 12/09/2014 09:14 PM, Joe Gooch wrote:
stage_for_upstream/v2.7f has been created on github.
https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7f
https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip
I feel there's a strong case to add the = and - characters back to
safe_url handling in http.c. (redirect_reply) It's here:
Pretty:
https://github.com/goochjj/pound/commit/a2863b0248d4809771be54518ec6a8a6ebc9db8b
Raw:
https://github.com/goochjj/pound/commit/a2863b0248d4809771be54518ec6a8a6ebc9db8b.patch
And I say "add back" because 2.6 allowed these characters, while 2.7
does not. We've had multiple requests related to this. (github +
mailing list)
Personally, I like all the changes in my branch and I think they should
all be considered. We've had mailing list issues requesting IncludeDir,
ThreadModel, CertDir, and OrURLs, all of which people are using but
don't exist in the official 2.7 branch. But if nothing else, the patch
above should be added.
Also, given the DH implementation in pound official 2.7e (Looks like
2048 bit was added)... Could someone please test this against ssllabs?
I implemented my DH patch the way I did because it seemed like no matter
what I threw at pound, the dh_tmp_callback never returns a bits value
1024. That's why I skipped the callback entirely when I implemented it
in pcidss/v2.6 and the stage_for_upstream branches. SSL labs was still
showing 1024bit, even when I made 2048bit keys available.
You are right, 2048 DH is never used because openssl calls
DH_tmp_callback() only with keylength 512 or 1024...
Regards, Adam
--
Adam Tkac, GoodData, s.r.o.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
