On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic ylavic@gmail.com wrote:
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via SSLCertificateFile,
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
Please note that the primes constants in modules/ssl/ssl_engine_dh.c
are from openssl/crypto/bn/bn_const.c.
FWIW, attached is a (stripped) diff between the two files that shows
constants are the same...
On Tue, May 5, 2015 at 7:12 PM, Yann Ylavic ylavic@gmail.com wrote:
Possible backport
Possible backport patch attached.
On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic ylavic@gmail.com wrote:
I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
for backport to 2.2.x (in reverse order):
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
On Tue, May 5, 2015 at 3:06 PM, Hanno Böck ha...@hboeck.de wrote:
I haven't used apache 2.2, but isn't OCSP stapling support still
missing there?
I think if you're already working on backporting important TLS features
that should certainly go with them.
My own line for 2.2 would be drawn
I haven't used apache 2.2, but isn't OCSP stapling support still
missing there?
I think if you're already working on backporting important TLS features
that should certainly go with them.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpNXAgtjh1Er.pgp