[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#635271: please enable SSLEngine optional



Package: apache2
Version: 2.2.16-6+squeeze1
Severity: wishlist

Recent versions of of Apache support RFC 2817, which allows HTTP software to 'upgrade' connections from non-encrypted to encrypted status; it is sometimes referred to StartTLS for HTTP.

	http://tools.ietf.org/html/rfc2817

This is toggled by specifying "optional" on the SSLEngine directive:

	http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine

While currently no web browsers support it, I think this is a chicken-and-egg problem: if no web sites have it, there's not reason for web clients to have it; if no clients do, then why enable it?

If a web server is willing to server TLS web data from port 443 (HTTPS), then there's not reason why it shouldn't also allow TLS web data on port 80.

The contents should be akin to the following:

	<IfModule mod_ssl.c>
		SSLEngine optional
		SSLCertificateFile /etc/apache2/ssl/server.crt
		SSLCertificateKeyFile /etc/apache2/ssl/server.key
	</ifModule>


A larger change (perhaps for wheezy) could be to put all certificate information into a separate area (certs.conf, certs.d/) and use an Include directive to pull things in. This would allow for only one file to be edited, and if you have multiple certs on one host (via SNI), it'd allow each one to be put in a separate file.




Reply to: