[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#733564: pu: apache2 with ECDHE support



On Mon, Dec 30, 2013 at 01:41:31PM +0100, Cyril Brulebois wrote:
> Stefan Fritsch <sf@sfritsch.de> (2013-12-30):
> > Am Sonntag, 29. Dezember 2013, 23:58:54 schrieb Kurt Roeckx:
> > > Adding ECDHE support in apache will probably require backporting the
> > > patches for that.  I'm not sure how much work that is going to be
> > > and wether someone like redhat might have already done that.
> > 
> > I don't know how quickly upgrades are ususally adopted in MacOS land,
> > but considering that 10.8.5 is out I think it would be even acceptable
> > to update apache without that openssl workaround, as long as the
> > readme contains exact instructions how to disable ECDHE in case of
> > problems. But of course having the openssl workaround would be even
> > better.
> 
> If we're going to end up adding ECDHE support, and if it isn't supported
> everywhere yet, I'm pretty sure support for it all shouldn't be enabled
> automatically upon upgrades, and that it should be enabled manually by
> admins instead, following instructions that include incompatibility
> warnings (hello, page 51 of the draft at https://bettercrypto.org/).

If you want an overview of what browser support, you can see see
that on ssllabs.  The only way I know of getting that info for
other browser is going to a random website and then selecting the
browser.

About the only thing not supporting ECDHE is java 6 and internet
explorer on windows XP.  Internet explorer is also the only one
that doesn't have ECDHE (or even DHE) at the top the prefered
ciphers.

That means that all other browser that are tracked there have
support for ECDHE and have it as most prefered cipher.

MacOS had a problem with the ECDSA version of it, which seems
surprisingly popular, but it was fixed.  But I was under the
impression that apple didn't encourage users to upgrade when it
was fixed.  I'm not sure if that changed in the mean time.


Kurt


Reply to: