Re: Bug#733564: pu: apache2 with ECDHE support

To: Cyril Brulebois <kibi@debian.org>
Cc: Kurt Roeckx <kurt@roeckx.be>, 733564@bugs.debian.org, debian-apache@lists.debian.org
Subject: Re: Bug#733564: pu: apache2 with ECDHE support
From: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 10 Apr 2014 08:02:46 +0200
Message-id: <[🔎] 1645986.Dq73KekQRF@k>
In-reply-to: <20131230142317.GA23234@roeckx.be>
References: <20131229225854.GA20830@roeckx.be> <20131230124131.GB2909@mraw.org> <20131230142317.GA23234@roeckx.be>

Am Montag, 30. Dezember 2013, 15:23:17 schrieb Kurt Roeckx:
> On Mon, Dec 30, 2013 at 01:41:31PM +0100, Cyril Brulebois wrote:
> > Stefan Fritsch <sf@sfritsch.de> (2013-12-30):
> > > Am Sonntag, 29. Dezember 2013, 23:58:54 schrieb Kurt Roeckx:
> > > > Adding ECDHE support in apache will probably require
> > > > backporting the patches for that.  I'm not sure how much work
> > > > that is going to be and wether someone like redhat might have
> > > > already done that.> > 
> > > I don't know how quickly upgrades are ususally adopted in MacOS
> > > land, but considering that 10.8.5 is out I think it would be
> > > even acceptable to update apache without that openssl
> > > workaround, as long as the readme contains exact instructions
> > > how to disable ECDHE in case of problems. But of course having
> > > the openssl workaround would be even better.

Some statistics at http://update.omnigroup.com/ (click on minor 
versions for 10.8) gives 16.1% of macosx users using 10.8.x and 1.3% 
using 10.8.x with x <= 3. Personally, I don't think we need special 
provisions for those 1.3% of macosx users, which is <= 0.1% of total 
users. But I would of course be fine with Kurt backporting the 
workaround.

> > If we're going to end up adding ECDHE support, and if it isn't
> > supported everywhere yet, I'm pretty sure support for it all
> > shouldn't be enabled automatically upon upgrades, and that it
> > should be enabled manually by admins instead, following
> > instructions that include incompatibility warnings (hello, page
> > 51 of the draft at https://bettercrypto.org/).

> If you want an overview of what browser support, you can see see
> that on ssllabs.  The only way I know of getting that info for
> other browser is going to a random website and then selecting the
> browser.
> 
> About the only thing not supporting ECDHE is java 6 and internet
> explorer on windows XP.  Internet explorer is also the only one
> that doesn't have ECDHE (or even DHE) at the top the prefered
> ciphers.

Browser support in itself is not the interesting factor here. We are 
not disabling other ciphers, so clients not supporting ECDHE will just 
continue to work. The question is how many browsers have broken 
implemetations AND still use it as the preffered cipher. And the only 
ones that we know of are those MacOS versions mentioned above.

I would however not go the way of requiring the admin to explicitly 
enable support on upgrades. The problem is that the default configured 
cipher suite is HIGH:MEDIUM:!aNULL:!MD5 which includes ECDHE if 
supported. To make the change opt-in, we would either need to change 
the conffiles during upgrade, I would like to avoid, or we would need 
to make the configuration incompatible with upstream by requiring 
something special.

I would like to have another upgrade for apache2 for the next wheezy 
point release in any case. Therefore I would appreciate some feedback 
from the release team if they would accept a change to include ECDHE 
support.

Cheers,
Stefan

Reply to:

Follow-Ups:
- Re: Bug#733564: pu: apache2 with ECDHE support
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Bug#743915: apache2: wrong DOCUMENT_LOCATION in fhs_compliance.patch in apache2_2.4.9-1.debian.tar.xz source package
Next by Date: Re: Bug#733564: pu: apache2 with ECDHE support
Previous by thread: Bug#743915: apache2: wrong DOCUMENT_LOCATION in fhs_compliance.patch in apache2_2.4.9-1.debian.tar.xz source package
Next by thread: Re: Bug#733564: pu: apache2 with ECDHE support
Index(es):
- Date
- Thread