Hi Apache folks--
Just a heads-up to let you know that i've requested a CVE for
mod_fcgid's 2.3.6 (the current release) due to possible DoS based on the
module not respecting administrator-configured limits:
http://www.openwall.com/lists/oss-security/2012/03/15/10
The issue is fixed in
Hi apache folks--
In http://bugs.debian.org/732450, debian is preparing to
cryptographically verify OpenPGP signatures on apache upstream tarballs.
As part of the dicsussion, it's become clear that some of the keys in
https://www.apache.org/dist/httpd/KEYS are weak by any modern
consideration of
On 12/26/2013 06:18 PM, Nick Kew wrote:
You're ahead of us. Individual Apache folks like Jim have taken
responsibility and moved to 4096-bit keys, but we haven't as a
community had the discussion that might lead to pruning KEYS.
My inclination is to say NO to requiring anyone to remove old
On 12/31/2013 01:19 PM, Graham Leggett wrote:
It is also a statement of what keys have historically been used to sign past
artifacts, and that is just as important.
These are distinct things, though. It would be great if the apache
project could separately identify which keys are going to be
On 02/06/2014 12:35 AM, Kaspar Brand wrote:
On 05.02.2014 18:13, Falco Schwarz wrote:
Kaspar, I ran into another issue when using an encrypted private key and
SSLOpenSSLConfCmd PrivateKey.
Again it fails to load the encrypted private key with the following errors:
That's by design, see
On 02/05/2014 02:44 AM, Kaspar Brand wrote:
On 05.02.2014 08:25, Brian Smith wrote:
It would be possible for a server to fetch and staple the OCSP
response only using the information from the server's end-entity
certificate.
Actually no - you can't properly fill in the CertID for the
Hi, i'm trying to revive mod_gnutls and bring it up to date with current
apache module practices, and i'd like to use apache 2.4's mod_auth
framework for user authentication via client-side certificates. i'm
limiting the scope of this question to authentication because i do not
have a good use
On 02/18/2014 08:14 AM, Pavel Matěja wrote:
There is one big risk when someone uses reverse HTTPS proxy with ServerAlias.
Let say you have on both - backend and proxy servers options:
ServerName www.example.com
ServerAlias example.com
In old non-SNI days everything was working just fine.
On 03/26/2014 07:11 AM, Emilia Kasper wrote:
The patch fixes a) by sanity-checking the chain and chopping self-signed
roots. I believe it's harmless to turn on by default as the rebuild step
will either yield a valid chain or preserve the original configuration.
I like this suggestion. with a
On 03/26/2014 11:29 AM, Emilia Kasper wrote:
Cross-signing happens all the time but afaik the other way around, i.e., an
intermediate Y' corresponding to a _newer_ root cert Y is cross-signed by
some _older_ root cert Z. So an old client would usually know only Z and a
newer client would know
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
HPKP can never work this way. Pin validation is always done on top of
normal TLS validation and can only invalidate an otherwise valid connection
and never the other way around. Otherwise I could trivially hijack
connections by pinning sites to a
On 03/27/2014 12:37 PM, Rob Stradling wrote:
On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
snip
it doesn't even need to fetch the certificate itself, it could just make
the big noisy error log say you should fetch the cert from AIAURL and
append it to SSLCertificateChainFile
AIAURL
On Sun 2014-02-09 02:15:37 -0500, Kaspar Brand wrote:
On 07.02.2014 01:58, Daniel Kahn Gillmor wrote:
As part of the goal of dropping encrypted private key support, have you
considered using an agent-based framework for private keys?
I haven't, no, since an important aspect of that goal
On 04/14/2014 07:08 AM, Jeff Trawick wrote:
(not to say there aren't complications, like trying to keep system
directories out of rpath)
I think that you're asking for mod_ssl to add an openssl-specific
directory to its rpath.
in general, i would discourage this; at the least, it needs to be
On 04/18/2014 08:34 AM, Falco Schwarz wrote:
As of httpd-2.4.7 the strength of DH temp keys is determined by the private
key's bit length. I recently noticed the following behavior (using
httpd-2.4.9 and openssl-1.0.2-beta2-dev):
I am using multiple certificates for one VHost (ECC and RSA):
On 04/22/2014 08:57 AM, Ligade, Shailesh [USA] wrote:
I think by default, the certificate hint list asks for client authentication
certificates. Is there any configuration option to ask for different types of
certificates? e.g. signing or encryption certificates?
In TLS, the client's secret
On 08/05/2014 06:24 PM, Simo Sorce wrote:
I have been working for a little while on making it possible to use
channel bindings within an Apache server.
In order to do that some support to extract information form the TLS
layer is necessary in the server.
This is great idea, but be aware that
On 08/05/2014 09:06 PM, Simo Sorce wrote:
Yeah I know it is broken, does it mean you want to have it disabled and
return an error if requested until a fixed openssl library/call is
available ?
Not only did i not have a concrete proposal, I don't have any particular
say in the matter -- i'm not
On Tue 2015-06-09 13:43:59 -0400, Roy T. Fielding wrote:
WRT renegotiation, it is fair to say that the WG punted on the idea
due to lack of time. If someone figures out a way to safely
renegotiate an h2 connection (and all of its streams), then go ahead
and implement it, describe it in an
19 matches
Mail list logo