From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 6 May 2015 22:51:49 +0000 (+0000)
Subject: Propose.
X-Git-Tag: 2.2.30~129
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45b292aaaa6660abb97c59c50fc2a0a03a6061df;p=thirdparty%2Fapache%2Fhttpd.git

Propose.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678107 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 266b9573498..8266fbe5b77 100644
--- a/STATUS
+++ b/STATUS
@@ -185,7 +185,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-SSLSessionTicketKeyFile.patch
      +1: ylavic
 
-  *) mod_proxy: use the original (non absolute) form of the request-line's URI
+   * mod_proxy: use the original (non absolute) form of the request-line's URI
      for requests embedded in CONNECT payloads used to connect SSL backends via
      a ProxyRemote forward-proxy. PR 55892.
      trunk patch: http://svn.apache.org/r1665215
@@ -202,6 +202,25 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works (modulo CHANGES)
      +1: breser
 
+   * mod_ssl: Improve handling of ephemeral DH and ECDH keys by
+     allowing custom parameters to be configured via SSLCertificateFile,
+     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+     Unless custom parameters are configured, the standardized parameters
+     are applied based on the certificate's RSA/DSA key size.  Also drop
+     support for export-grade ciphers with ephemeral RSA keys, and
+     unconditionally disable aNULL, eNULL and EXP ciphers
+     (not overridable via SSLCipherSuite).
+     trunk patch: http://svn.apache.org/r1526168
+                  http://svn.apache.org/r1527291
+                  http://svn.apache.org/r1527295
+                  http://svn.apache.org/r1563420
+                  http://svn.apache.org/r1588851
+                  http://svn.apache.org/r1666363
+     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-mod_ssl-improved_EDH.patch
+     +1: ylavic
+     ylavic: tested with openssl 0.9.7a, 0.9.8o, 1.0.1m and 1.0.2a with 1024
+             and 2048 bits certificates (modulus), using EDH and ECDH ciphers.
+
 PATCHES/ISSUES THAT ARE STALLED
 
    * mod_proxy_balancer: Always initialize the shared parameters of a load