granicus.if.org Git - apache/commit

author	Kaspar Brand <kbrand@apache.org>
	Wed, 25 Sep 2013 12:52:35 +0000 (12:52 +0000)
committer	Kaspar Brand <kbrand@apache.org>
	Wed, 25 Sep 2013 12:52:35 +0000 (12:52 +0000)
commit	a6a324f9bb472a3bed200366b6ac9afbcfd803f3
tree	94b087c867e1df1530159947ac25f424f330eb65	tree \| snapshot
parent	6a062fcc848fb1e0265f033e0affd25f9b639d4d	commit \| diff

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed
  for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove
  the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always
  prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is
  sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need
  for a per-handshake callback, for the time being (and also
  configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1526168 13f79535-47bb-0310-9956-ffa450edef68

CHANGES		diff \| blob \| history
docs/manual/mod/mod_ssl.xml		diff \| blob \| history
modules/ssl/mod_ssl.c		diff \| blob \| history
modules/ssl/ssl_engine_config.c		diff \| blob \| history
modules/ssl/ssl_engine_init.c		diff \| blob \| history
modules/ssl/ssl_engine_kernel.c		diff \| blob \| history
modules/ssl/ssl_private.h		diff \| blob \| history