Re: SSL and Usability and Safety

2017-05-04 Thread Stefan Eissing
> Am 03.05.2017 um 15:46 schrieb Issac Goldstand : > > On 5/3/2017 4:28 PM, Stefan Eissing wrote: >> >>> Am 03.05.2017 um 15:22 schrieb Dirk-Willem van Gulik : >>> On 3 May 2017, at 15:14, Issac Goldstand wrote:

Re: SSL and Usability and Safety

2017-05-03 Thread Issac Goldstand
On 5/3/2017 4:28 PM, Stefan Eissing wrote: > >> Am 03.05.2017 um 15:22 schrieb Dirk-Willem van Gulik : >> >>> >>> On 3 May 2017, at 15:14, Issac Goldstand wrote: >>> >>> On 5/3/2017 3:59 PM, Dirk-Willem van Gulik wrote: > On 3 May 2017, at

Re: SSL and Usability and Safety

2017-05-03 Thread Issac Goldstand
On 5/3/2017 4:22 PM, Dirk-Willem van Gulik wrote: > >> On 3 May 2017, at 15:14, Issac Goldstand wrote: >> >> On 5/3/2017 3:59 PM, Dirk-Willem van Gulik wrote: >>> On 3 May 2017, at 14:53, Issac Goldstand > wrote:

Re: SSL and Usability and Safety

2017-05-03 Thread Stefan Eissing
> Am 03.05.2017 um 15:22 schrieb Dirk-Willem van Gulik : > >> >> On 3 May 2017, at 15:14, Issac Goldstand wrote: >> >> On 5/3/2017 3:59 PM, Dirk-Willem van Gulik wrote: >>> On 3 May 2017, at 14:53, Issac Goldstand

Re: SSL and Usability and Safety

2017-05-03 Thread Dirk-Willem van Gulik
> On 3 May 2017, at 15:14, Issac Goldstand wrote: > > On 5/3/2017 3:59 PM, Dirk-Willem van Gulik wrote: >> >>> On 3 May 2017, at 14:53, Issac Goldstand >> > wrote: >>> >>> On 5/3/2017 12:46 PM, Dirk-Willem van Gulik

Re: SSL and Usability and Safety

2017-05-03 Thread Issac Goldstand
On 5/3/2017 3:59 PM, Dirk-Willem van Gulik wrote: > >> On 3 May 2017, at 14:53, Issac Goldstand > > wrote: >> >> On 5/3/2017 12:46 PM, Dirk-Willem van Gulik wrote: >>> On 3 May 2017, at 10:03, Issac Goldstand >>

Re: SSL and Usability and Safety

2017-05-03 Thread Dirk-Willem van Gulik
> On 3 May 2017, at 14:53, Issac Goldstand wrote: > > On 5/3/2017 12:46 PM, Dirk-Willem van Gulik wrote: >> On 3 May 2017, at 10:03, Issac Goldstand wrote: >>> >>> +1 on the idea >>> >>> So far I'm -0 about all of the proposed implementations for 2

Re: SSL and Usability and Safety

2017-05-03 Thread Issac Goldstand
On 5/3/2017 12:46 PM, Dirk-Willem van Gulik wrote: > On 3 May 2017, at 10:03, Issac Goldstand wrote: >> >> +1 on the idea >> >> So far I'm -0 about all of the proposed implementations for 2 reasons: >> >> 1) Mr and Mrs normal (whom are our primary customers in the original

Re: SSL and Usability and Safety

2017-05-03 Thread Stefan Eissing
I try to summarise the many replies (and thanks for the interest!), to sketch out a possible path forward. 1. Overall -- Replies in general have been very positive. wr...@rowe-clan.net: "I like the proposal." rainer.j...@kippdata.de: "I like the idea."

Re: SSL and Usability and Safety

2017-05-03 Thread Dirk-Willem van Gulik
On 3 May 2017, at 10:03, Issac Goldstand wrote: > > +1 on the idea > > So far I'm -0 about all of the proposed implementations for 2 reasons: > > 1) Mr and Mrs normal (whom are our primary customers in the original > proposal) usually download Apache from their distro or

Re: SSL and Usability and Safety

2017-05-03 Thread Ben Laurie
On 3 May 2017 at 09:03, Issac Goldstand wrote: > What would work, in my eyes, if people are open to it, is treating the > contents of these definitions/macros (and I'm all for the macros, just > so that interested sysadmins can see *exactly* what the settings are on > their

Re: SSL and Usability and Safety

2017-05-03 Thread Issac Goldstand
nfuse line numbers in error messages. > -- > Daniel Ruggeri > > > *From:* Jacob Champion <champio...@gmail.com> > *Sent:* May 2, 2017 5:48:34 PM CDT > *To:* dev@httpd.apache.org > *Subject:* Re:

Re: SSL and Usability and Safety

2017-05-03 Thread Luca Toscano
2017-05-03 2:29 GMT+02:00 Graham Leggett : > On 02 May 2017, at 3:19 PM, Stefan Eissing > wrote: > > How can we help Mr and Ms Normal to stay up to date on these things? > > - We cannot rewrite their config unasked. We need to be backward >

Re: SSL and Usability and Safety

2017-05-02 Thread Daniel Ruggeri
in error messages. -- Daniel Ruggeri Original Message From: Jacob Champion <champio...@gmail.com> Sent: May 2, 2017 5:48:34 PM CDT To: dev@httpd.apache.org Subject: Re: SSL and Usability and Safety On 05/02/2017 02:10 PM, Eric Covener wrote: > I think to be useful, r

Re: SSL and Usability and Safety

2017-05-02 Thread Eric Covener
On Tue, May 2, 2017 at 8:29 PM, Graham Leggett wrote: > > This makes a lot of sense, and there is a lot of precedent for this. > > AWS load balancers take an “intent” policy string based on a date, with the > option of a “default” value: > >

Re: SSL and Usability and Safety

2017-05-02 Thread Graham Leggett
On 02 May 2017, at 3:19 PM, Stefan Eissing wrote: > How can we help Mr and Ms Normal to stay up to date on these things? > > - We cannot rewrite their config unasked. We need to be backward compatible. > - Our defaults nowadays are dangerously unsafe, so users MUST

Re: SSL and Usability and Safety

2017-05-02 Thread Jacob Champion
On 05/02/2017 02:10 PM, Eric Covener wrote: I think to be useful, reasonable SSL defaults have to be subject to change in maintenance (and over-rideable) So... this got me thinking. If we put this new "stuff" (whatever it turns out to be) into a new directive, - part of its operation gets

Re: SSL and Usability and Safety

2017-05-02 Thread Jacob Champion
On 05/02/2017 02:01 PM, Helmut K. C. Tessarek wrote: I'm not sure, how much perf difference there is between A, B, and C, but SSL by itself has quite an impact (For the record, our bucket brigade implementation is currently hamstringing our TLS static file performance, and on top of that

Re: SSL and Usability and Safety

2017-05-02 Thread Eric Covener
On Tue, May 2, 2017 at 4:42 PM, Daniel wrote: > ould these changes/choices be permanent after different releases of httpd? > If not, what if httpd "choices" settings as commented at the beginning of > this thread screw the need for a very important client with java 1.crap >

Re: SSL and Usability and Safety

2017-05-02 Thread Helmut K. C. Tessarek
On 2017-05-02 09:19, Stefan Eissing wrote: > A. "I want my site safe and usable with modern browsers!" > B. "I want a safe setting, but people with slightly out-dated clients should > be served as well." > C. "I sadly need compatibility to some very old clients." It would be great to explain the

Re: SSL and Usability and Safety

2017-05-02 Thread Daniel
Hello, Sorry for the intrusion since I'm no dev. I am a bit concerned about the implications something like this may bring to you guys, let me explain. Openssl aliases were made for something like that (HIGH MEDIUM LOW). Although we all may agree Aliases are not great, with a little tweaking

Re: SSL and Usability and Safety

2017-05-02 Thread Jacob Champion
On 05/02/2017 11:48 AM, William A Rowe Jr wrote: Are you referring to mod_ssl or a number of modules? If we find such things, 2.next is our chance to correct any and all unexpected merge behaviors. A number of them, but it's less "there are bugs" and more "every directive/module does its own

Re: SSL and Usability and Safety

2017-05-02 Thread William A Rowe Jr
On May 2, 2017 12:57 PM, "Jacob Champion" wrote: On 05/02/2017 10:32 AM, Ruediger Pluem wrote: > c) would be the best, but a) IMHO would be acceptable since overwriting is > for the more advanced users anyway and they > can be told to do stuff in the correct order. > +1

Re: SSL and Usability and Safety

2017-05-02 Thread Jacob Champion
On 05/02/2017 10:32 AM, Ruediger Pluem wrote: c) would be the best, but a) IMHO would be acceptable since overwriting is for the more advanced users anyway and they can be told to do stuff in the correct order. +1 to both points. (Our conflict-merging logic in the configuration is not very

Re: SSL and Usability and Safety

2017-05-02 Thread Jacob Champion
On 05/02/2017 06:19 AM, Stefan Eissing wrote: I advocate that we need (yet another!) SSL directive where administrators can declare their *intent*. A. "I want my site safe and usable with modern browsers!" B. "I want a safe setting, but people with slightly out-dated clients should be served

Re: SSL and Usability and Safety

2017-05-02 Thread Ruediger Pluem
On 05/02/2017 07:28 PM, Rainer Jung wrote: > Am 02.05.2017 um 15:19 schrieb Stefan Eissing: > > Since we then have possibly conflicting config settings (your new "intent" > config directive and existing detailed config > directives) we need to make sure, how merging (conflict resolution) is

Re: SSL and Usability and Safety

2017-05-02 Thread Rainer Jung
Am 02.05.2017 um 15:19 schrieb Stefan Eissing: With 71 configuration directives, mod_ssl can manage probably every user's needs, but two: Mr and Ms Normal. Ms and Mr Normal have a basic understanding about SSL, sorry TLS, and what a cipher is, but HonorCipherOrder is already a bit much and on

Re: SSL and Usability and Safety

2017-05-02 Thread William A Rowe Jr
On Tue, May 2, 2017 at 11:14 AM, William A Rowe Jr wrote: > > Any other client is no longer interoperable with any popular site, following > final changes by issues in Dec '16. by *certificate issuers*. E.g. all MD5 and SHA1 hashed certs are now expired, there is no longer

Re: SSL and Usability and Safety

2017-05-02 Thread William A Rowe Jr
I like the proposal. However I see no need for the 'C' categor, y and disagree about changing defaults during any future 2.next bump. HonorCipherOrder, as an example, must be inverted. Users requiring 'C' can override things to make that happen. I see two 'quick start' one-line configs,

SSL and Usability and Safety

2017-05-02 Thread Stefan Eissing
With 71 configuration directives, mod_ssl can manage probably every user's needs, but two: Mr and Ms Normal. Ms and Mr Normal have a basic understanding about SSL, sorry TLS, and what a cipher is, but HonorCipherOrder is already a bit much and on OCSP stapling, the mind becomes a little bit