I'd like to gauge consensus on removing the following mod_ssl features
for 2.5. I am +1 (more or less strongly) on removing all the following:
a) SSLInsecureRengotiation. If you haven't patched your clients for
CVE-2009-3555 there is no hope. This should definitely be removed.
b) SSLRequire - this has been deprecated since it was subsumed into the
better "Require expr" interface in 2.4.x.
c) Client-initiated renegotiation prevention mechanism. This was
introduced mostly as a temporary workaround for CVE-2009-3555, and as
the saying goes, there is nothing as permanent as a temporary
workaround. This already doesn't apply for TLSv1.3, and it doesn't
really add much for TLS < v1.3 so I think it can go completely.
d) SSLRandomSeed. This might have made sense in 1998 but at least with
OpenSSL 1.1.1 which has a rewritten and fork-safe RAND, I think httpd
should not be doing RAND seeding ever. Currently mod_ssl will splat
random stack data, time() and the pid into the RNG state for each new
connection. Unless someone can prove this is valuable and the OpenSSL
PRNG is somehow broken OOTB, I think this code + directive should be
dropped for OpenSSL 1.1.1+, including EGD support etc.
e) SSLCompression - enabling this has been considered (and documented
as) a bad idea for a good while. IMO we should have "SSLCompression
off" the hard-coded default and drop the directive.
Regards, Joe
for 2.5. I am +1 (more or less strongly) on removing all the following:
a) SSLInsecureRengotiation. If you haven't patched your clients for
CVE-2009-3555 there is no hope. This should definitely be removed.
b) SSLRequire - this has been deprecated since it was subsumed into the
better "Require expr" interface in 2.4.x.
c) Client-initiated renegotiation prevention mechanism. This was
introduced mostly as a temporary workaround for CVE-2009-3555, and as
the saying goes, there is nothing as permanent as a temporary
workaround. This already doesn't apply for TLSv1.3, and it doesn't
really add much for TLS < v1.3 so I think it can go completely.
d) SSLRandomSeed. This might have made sense in 1998 but at least with
OpenSSL 1.1.1 which has a rewritten and fork-safe RAND, I think httpd
should not be doing RAND seeding ever. Currently mod_ssl will splat
random stack data, time() and the pid into the RNG state for each new
connection. Unless someone can prove this is valuable and the OpenSSL
PRNG is somehow broken OOTB, I think this code + directive should be
dropped for OpenSSL 1.1.1+, including EGD support etc.
e) SSLCompression - enabling this has been considered (and documented
as) a bad idea for a good while. IMO we should have "SSLCompression
off" the hard-coded default and drop the directive.
Regards, Joe