httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael A. Peters" <>
Subject Re: [users@httpd] Upgrading to httpd 2.4 and documentation - Any missing info?
Date Tue, 15 Mar 2016 22:26:56 GMT
You're probably right. What scared them into disabling all the unsafe 
ciphers was an ssllabs report showing a grade of F in combination with 
am arstechnica article on how cheap it is to use an Amazon cloud account 
to crack export cipher suites.

They respect me, I found holes in several WordPress plugins they were 
using and helped them fix those, but they have a "long relationship" 
with the hosting company.

On 03/15/2016 02:44 PM, Robert Mattson wrote:
> Hi Michael,
> It might be a bit of fun to download Kali or OpenVAS. I think both come as complete virtual-machines.
> Handing them the automated scan report might raise a few eye-brows.
> Most of all its important to remember to have fun!
> Rob
> Sent from a mobile device, typos are to be expected.
>> On 15 Mar 2016, at 6:52 PM, Michael A. Peters <> wrote:
>>> On 03/15/2016 12:23 AM, Luca Toscano wrote:
>>> Hi Apache users!
>>> A while ago there was an interesting discussion on the dev@ mailing list
>>> about the adoption percentage of httpd 2.2 vs 2.4, and I was wondering
>>> if the people that have not upgraded yet have suggestion about whether
>>> or not the documentation needs any improvement to facilitate the process.
>>> The 2.4 release is the only one actively developed and it offers tons of
>>> new features compared to 2.2, among them:
>>> - HTTP/2 support (
>>> - <If>/<Else> directives (
>>> - lua scripts support (
>>> - most up to date version of the event mpm
>>> (
>>> - most up to date version of mod_ssl
>>> - a lot of bug fixes!
>>> I understand that a lot of you have complex and difficult environments
>>> to migrate, but it would be great to extend the 2.4 release as much as
>>> possible. Are there any gap in documentation or anything else that we
>>> can help with to ease the process?
>>> Let me know!
>>> Luca
>> Thank you for the effort.
>> A business I am a customer of runs 1.x on all their web servers and I have been trying
to get them to update to 2.x for years.
>> When they use TLS it is ben-ssl with export ciphers and I *finally* got them to turn
off all the dangerous ciphers and only allow tls 1.0 but the excuse they keep giving me is
"our hosting company says the version we have is secure"
>> I don't understand how a version that hasn't received upstream updates for years
can be considered "secure" - lazy hosting company.
>> I would love to see better 2.4.x adoption, especially now that it supports HTTP/2.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message