[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#733564: pu: apache2 with ECDHE support

Am Montag, 30. Dezember 2013, 15:23:17 schrieb Kurt Roeckx:
> On Mon, Dec 30, 2013 at 01:41:31PM +0100, Cyril Brulebois wrote:
> > Stefan Fritsch <sf@sfritsch.de> (2013-12-30):
> > > Am Sonntag, 29. Dezember 2013, 23:58:54 schrieb Kurt Roeckx:
> > > > Adding ECDHE support in apache will probably require
> > > > backporting the patches for that.  I'm not sure how much work
> > > > that is going to be and wether someone like redhat might have
> > > > already done that.> > 
> > > I don't know how quickly upgrades are ususally adopted in MacOS
> > > land, but considering that 10.8.5 is out I think it would be
> > > even acceptable to update apache without that openssl
> > > workaround, as long as the readme contains exact instructions
> > > how to disable ECDHE in case of problems. But of course having
> > > the openssl workaround would be even better.

Some statistics at http://update.omnigroup.com/ (click on minor 
versions for 10.8) gives 16.1% of macosx users using 10.8.x and 1.3% 
using 10.8.x with x <= 3. Personally, I don't think we need special 
provisions for those 1.3% of macosx users, which is <= 0.1% of total 
users. But I would of course be fine with Kurt backporting the 

> > If we're going to end up adding ECDHE support, and if it isn't
> > supported everywhere yet, I'm pretty sure support for it all
> > shouldn't be enabled automatically upon upgrades, and that it
> > should be enabled manually by admins instead, following
> > instructions that include incompatibility warnings (hello, page
> > 51 of the draft at https://bettercrypto.org/).

> If you want an overview of what browser support, you can see see
> that on ssllabs.  The only way I know of getting that info for
> other browser is going to a random website and then selecting the
> browser.
> About the only thing not supporting ECDHE is java 6 and internet
> explorer on windows XP.  Internet explorer is also the only one
> that doesn't have ECDHE (or even DHE) at the top the prefered
> ciphers.

Browser support in itself is not the interesting factor here. We are 
not disabling other ciphers, so clients not supporting ECDHE will just 
continue to work. The question is how many browsers have broken 
implemetations AND still use it as the preffered cipher. And the only 
ones that we know of are those MacOS versions mentioned above.

I would however not go the way of requiring the admin to explicitly 
enable support on upgrades. The problem is that the default configured 
cipher suite is HIGH:MEDIUM:!aNULL:!MD5 which includes ECDHE if 
supported. To make the change opt-in, we would either need to change 
the conffiles during upgrade, I would like to avoid, or we would need 
to make the configuration incompatible with upstream by requiring 
something special.

I would like to have another upgrade for apache2 for the next wheezy 
point release in any case. Therefore I would appreciate some feedback 
from the release team if they would accept a change to include ECDHE 


Reply to: