Bug#733564: Is 2.2.26 happening for Wheezy ?
May I gently ask if there is still a chance for this backport or even
regular update of apache2 to happen for Wheezy?
ECDHE ciphers are being adopted rapidly all over the internet. I believe
Debian Wheezy, with its many installations at ISPs or hosting providers,
would really make a difference here towards much more PFS being used and
without a (massive) performance drawback.
May I stress the point that this "problem" is caused only by the version
of apache2 and not the underlying ssl libraries. Those very much are up
to date on ECDHE ciphers. And there was a reason the apache folks
decided to backport EC support to their 2.2 tree.
On Mon, 30 Dec 2013 15:23:17 +0100 Kurt Roeckx wrote:
> About the only thing not supporting ECDHE is java 6 and internet
> explorer on windows XP. Internet explorer is also the only one
> that doesn't have ECDHE (or even DHE) at the top the prefered
> ciphers.
>
> That means that all other browser that are tracked there have
> support for ECDHE and have it as most prefered cipher.
>
> MacOS had a problem with the ECDSA version of it, which seems
> surprisingly popular, but it was fixed. But I was under the
> impression that apple didn't encourage users to upgrade when it
> was fixed. I'm not sure if that changed in the mean time.
The arguments regarding problems on various clients are simply a matter
of sensible defaults (for the discussed update or backport of the
apache2 package) and then a sensible configuration for the particular
installation or use case. But, most browser problems with ciphers should
have been fixed in the meantime. With every new browser version, be it
FF or Chrome or whatever, stronger crypto is enabled or even forced.
Thanks for your work
Regards
Christian
Reply to: