You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Reindl Harald <h....@thelounge.net> on 2013/11/20 00:12:31 UTC

Re: [VOTE] Release Apache httpd 2.4.7 as GA

Am 19.11.2013 18:45, schrieb Jim Jagielski:
> The pre-release test tarballs for Apache httpd 2.4.7 can be found
> at the usual place:
> 
> http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.7 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience

https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
still not included and patches for 2.4.6 flying around no longer matching

[root@srv-rhsoft:~]$ apachectl -t
AH00526: Syntax error on line 20 of /etc/httpd/conf/httpd-ssl.conf:
Invalid command 'SSLDHParametersFile', perhaps misspelled or defined...............

because the original patch is more than a year old and https://www.ssllabs.com/ssltest/
gives you 5 additional points for a 2048 bit DHE key -1 from me

Re: [VOTE] Release Apache httpd 2.4.7 as GA

Posted by Reindl Harald <h....@thelounge.net>.

+1

sorry for the noise, the default seems to be changed to 2048

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS		128	
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS		128	
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)      DH 2048 bits (p: 256, g: 1, Ys: 256)   FS		128

indeed i missed:
DH parameter interoperability with primes > 1024 bit
Beginning with version 2.4.7, mod_ssl makes use of standardized DH parameters with prime lengths of 2048, 3072 and
4096 bits (from RFC 3526), and hands them out to clients based on the length of the certificate's RSA/DSA key. With
Java-based clients in particular (Java 7 or earlier), this may lead to handshake failures - see this FAQ answer for
working around such issues.

Am 20.11.2013 00:12, schrieb Reindl Harald:
> 
> Am 19.11.2013 18:45, schrieb Jim Jagielski:
>> The pre-release test tarballs for Apache httpd 2.4.7 can be found
>> at the usual place:
>>
>> http://httpd.apache.org/dev/dist/
>>
>> I'm calling a VOTE on releasing these as Apache httpd 2.4.7 GA.
>>
>> [ ] +1: Good to go
>> [ ] +0: meh
>> [ ] -1: Danger Will Robinson. And why.
>>
>> Vote will last the normal 72 hrs.
>>
>> NOTE: The *-deps are only there for convenience
> 
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
> still not included and patches for 2.4.6 flying around no longer matching
> 
> [root@srv-rhsoft:~]$ apachectl -t
> AH00526: Syntax error on line 20 of /etc/httpd/conf/httpd-ssl.conf:
> Invalid command 'SSLDHParametersFile', perhaps misspelled or defined...............
> 
> because the original patch is more than a year old and https://www.ssllabs.com/ssltest/
> gives you 5 additional points for a 2048 bit DHE key -1 from me