diff options
| author | Kaspar Brand <kbrand@apache.org> | 2013-09-25 14:52:35 +0200 |
|---|---|---|
| committer | Kaspar Brand <kbrand@apache.org> | 2013-09-25 14:52:35 +0200 |
| commit | a6a324f9bb472a3bed200366b6ac9afbcfd803f3 (patch) | |
| tree | 94b087c867e1df1530159947ac25f424f330eb65 /CHANGES | |
| parent | Suppress formatting of startup messages written to the console when (diff) | |
| download | apache2-a6a324f9bb472a3bed200366b6ac9afbcfd803f3.tar.xz apache2-a6a324f9bb472a3bed200366b6ac9afbcfd803f3.zip | |
Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1526168 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to '')
| -rw-r--r-- | CHANGES | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA + keys, and unconditionally disable aNULL, eNULL and EXP ciphers + (not overridable via SSLCipherSuite). [Kaspar Brand] + *) Suppress formatting of startup messages written to the console when ErrorLogFormat is used. [Jeff Trawick] |