Mailing List Archive: Apache: Dev

better SSL defaults in 2.4

Index | Next | Previous | View Threaded

trawick at gmail

Nov 18, 2009, 6:54 AM

Post #1 of 6 (761 views)
Permalink

better SSL defaults in 2.4

enable session cache by default?

change SSLMutex default to "SSLMutex default" instead of "SSLMutex none"?
(does this default to "none" to avoid checking if a session cache is
enabled before creating the mutex?)

jfclere at gmail

Nov 18, 2009, 7:02 AM

Post #2 of 6 (737 views)
Permalink

Re: better SSL defaults in 2.4 [In reply to]

On 11/18/2009 03:54 PM, Jeff Trawick wrote:
> enable session cache by default?

+1

Cheers

Jean-Frederic

jorton at redhat

Nov 19, 2009, 1:00 AM

Post #3 of 6 (721 views)
Permalink

Re: better SSL defaults in 2.4 [In reply to]

On Wed, Nov 18, 2009 at 09:54:34AM -0500, Jeff Trawick wrote:
> enable session cache by default?

Yes! I've been moving towards this goal - creating a "default" socache
provider is simple now.

Regards, Joe

minfrin at sharp

Nov 20, 2009, 5:13 AM

Post #4 of 6 (694 views)
Permalink

Re: better SSL defaults in 2.4 [In reply to]

Jeff Trawick wrote:

> enable session cache by default?
>
> change SSLMutex default to "SSLMutex default" instead of "SSLMutex none"?
> (does this default to "none" to avoid checking if a session cache is
> enabled before creating the mutex?)

+1.

Regards,
Graham
--

ivan.ristic at gmail

Nov 26, 2009, 6:26 AM

Post #5 of 6 (627 views)
Permalink

Re: better SSL defaults in 2.4 [In reply to]

Speaking of the SSL defaults, has anyone come up with something better than:

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Is anyone aware of any good reference that documents why the above
code was added, and perhaps also explains how to test and what exactly
the consequences of not using the snippet are?

I am willing to test recent IE versions to see how they behave, but
it'd be nice if I could have a decent starting point.

On Wed, Nov 18, 2009 at 2:54 PM, Jeff Trawick <trawick [at] gmail> wrote:
> enable session cache by default?
>
> change SSLMutex default to "SSLMutex default" instead of "SSLMutex none"?
> (does this default to "none" to avoid checking if a session cache is
> enabled before creating the mutex?)

--
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

ruediger.pluem at vodafone

Nov 26, 2009, 7:28 AM

Post #6 of 6 (630 views)
Permalink

RE: better SSL defaults in 2.4 [In reply to]

Have a look at

http://mail-archives.apache.org/mod_mbox/httpd-dev/200511.mbox/%3c20051122135629.03A2882D02 [at] cmcodec02%3e

> -----Original Message-----
> From: Ivan Ristic
> Sent: Donnerstag, 26. November 2009 15:26
> To: dev [at] httpd
> Subject: Re: better SSL defaults in 2.4
>
> Speaking of the SSL defaults, has anyone come up with
> something better than:
>
> BrowserMatch ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> Is anyone aware of any good reference that documents why the above
> code was added, and perhaps also explains how to test and what exactly
> the consequences of not using the snippet are?
>
> I am willing to test recent IE versions to see how they behave, but
> it'd be nice if I could have a decent starting point.
>
>
> On Wed, Nov 18, 2009 at 2:54 PM, Jeff Trawick
> <trawick [at] gmail> wrote:
> > enable session cache by default?
> >
> > change SSLMutex default to "SSLMutex default" instead of
> "SSLMutex none"?
> > (does this default to "none" to avoid checking if a session cache is
> > enabled before creating the mutex?)
>
> --
> Ivan Ristic
> ModSecurity Handbook [https://www.feistyduck.com]
> SSL Labs [https://www.ssllabs.com/ssldb/]
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads