httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: [users@httpd] Unexpected result of requesting client certificate when requesting locations with different SSLVerifyClient settings
Date Fri, 12 Apr 2019 16:05:41 GMT
On Wed, Apr 10, 2019 at 7:30 PM Du Hao <dwaynedu@gmail.com> wrote:

> Is Apache HTTP Server going to drop TLSv1.2 support in near future? If
> not, it is a bug that affects user who voluntarily choose to not use
> TLSv1.3.
>

Because 2.4 dates all the way back to the now-unsupported 0.9.8 lifecycle,
it seems unlikely that any httpd 2.4.x would entirely drop this or later
support, but note these EOL dates from the OpenSSL project as published at
https://www.openssl.org/policies/releasestrat.html

The next version of OpenSSL will be 3.0.0.
Version 1.1.1 will be supported until 2023-09-11 (LTS).
Version 1.1.0 will be supported until 2019-09-11.
Version 1.0.2 will be supported until 2019-12-31 (LTS).
Version 1.0.1 is no longer supported.
Version 1.0.0 is no longer supported.
Version 0.9.8 is no longer supported.

So it's entirely reasonable that any 2.next or 3.0 release of Apache HTTP
Server by midyear could elect to drop all support for any 1.0.1 or earlier
flavor, and if not released until next year - could might even drop support
for all flavors earlier than 1.1.1. Not certain what course the project
will choose to follow, since these antique flavors are still found across
many flavors of commonly provisioned OS's.

Best practices and PCI standards already discourage and will eventually
forbid the use of context-specific renegotiation, and will eventually drop
TLS 1.2 itself. Some useful information on such guidelines are summarized
and maintained at https://en.wikipedia.org/wiki/Transport_Layer_Security

Mime
View raw message