[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#635271: marked as done (please enable SSLEngine optional)

Your message dated Sun, 24 Jul 2011 19:41:26 +0200
with message-id <201107241941.26390.sf@sfritsch.de>
and subject line Re: Bug#635271: please enable SSLEngine optional
has caused the Debian Bug report #635271,
regarding please enable SSLEngine optional
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
635271: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635271
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache2
Version: 2.2.16-6+squeeze1
Severity: wishlist

Recent versions of of Apache support RFC 2817, which allows HTTP software to 'upgrade' connections from non-encrypted to encrypted status; it is sometimes referred to StartTLS for HTTP.

	http://tools.ietf.org/html/rfc2817

This is toggled by specifying "optional" on the SSLEngine directive:

	http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine

While currently no web browsers support it, I think this is a chicken-and-egg problem: if no web sites have it, there's not reason for web clients to have it; if no clients do, then why enable it?

If a web server is willing to server TLS web data from port 443 (HTTPS), then there's not reason why it shouldn't also allow TLS web data on port 80.

The contents should be akin to the following:

	<IfModule mod_ssl.c>
		SSLEngine optional
		SSLCertificateFile /etc/apache2/ssl/server.crt
		SSLCertificateKeyFile /etc/apache2/ssl/server.key
	</ifModule>


A larger change (perhaps for wheezy) could be to put all certificate information into a separate area (certs.conf, certs.d/) and use an Include directive to pull things in. This would allow for only one file to be edited, and if you have multiple certs on one host (via SNI), it'd allow each one to be put in a separate file.

--- End Message ---
--- Begin Message --- 
On Sunday 24 July 2011, David Magda wrote:
> Recent versions of of Apache support RFC 2817, which allows HTTP
> software to 'upgrade' connections from non-encrypted to encrypted
> status; it is sometimes referred to StartTLS for HTTP.
> 
> 	http://tools.ietf.org/html/rfc2817
> 
> This is toggled by specifying "optional" on the SSLEngine
> directive:
> 
> 	http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine
> 
> While currently no web browsers support it, I think this is a
> chicken-and-egg problem: if no web sites have it, there's not
> reason for web clients to have it; if no clients do, then why
> enable it?

No, in this case it's not an chicken-and-egg problem. The problem is 
that the browser vendors don't want it [1] because it doesn't fit the 
way users or web apps request secure connections. And I don't think it 
would work over proxies, anyway. Therefore I don't see any value in 
enabling this in the default configuration. Closing.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=276813

--- End Message ---
Reply to: