Hi, On Thu, Apr 10, 2014 at 08:02:46AM +0200, Stefan Fritsch wrote: > Browser support in itself is not the interesting factor here. We are > not disabling other ciphers, so clients not supporting ECDHE will just > continue to work. The question is how many browsers have broken > implemetations AND still use it as the preffered cipher. And the only > ones that we know of are those MacOS versions mentioned above. enabling the MacOSX workaround disables ECDHE for Safari on 10.6, 10.7, and the broken 10.8 flavors as they cannot be distinguished by the fingerprinting code. On 10.6 and 10.7 it'd work otherwise. So at least for the workaround browser support is slightly relevant. Enabling ECDHE in Apache would enable IE clients to use PFS if the admin manually configured a cipher preference. So I'd say that we should go and add ECDHE support to Apache as suggested and also patch OpenSSL for the OS X bug as the fingerprinting landed upstream and we would merely replicate current upstream behavior. > I would however not go the way of requiring the admin to explicitly > enable support on upgrades. The problem is that the default configured > cipher suite is HIGH:MEDIUM:!aNULL:!MD5 which includes ECDHE if > supported. To make the change opt-in, we would either need to change > the conffiles during upgrade, I would like to avoid, or we would need > to make the configuration incompatible with upstream by requiring > something special. I'd not make the change opt-in for the reasons you suggested. Kind regards and thanks Philipp Kern
Attachment:
signature.asc
Description: Digital signature