[Pkg-openssl-devel] Backport apache2 version >= 2.2.12 ? With or without new openssl?

Stefan Fritsch sf at sfritsch.de
Wed Apr 14 19:54:50 UTC 2010


On Wednesday 14 April 2010, Sandro Tosi wrote:
> On Mon, Apr 5, 2010 at 10:54, Stefan Fritsch <sf at sfritsch.de> wrote:
> > - 2.2.15-2 still has some bugs in mod_reqtimeout, 2.2.15-3 would
> > be better (but will take some time until it hits testing).
> 
> so do you suggest to backport -3 instead of -2? we don't use
> mod_reqtimeout so we are not impacted from those bugs (so we didn't
> spot them).

mod_reqtimeout will be enabled on update, though (unless you changed 
that). The bugs are mostly relevant when using mod_proxy at the same 
time, but using apache2 as reverse proxy is a common configuration.

> On Wed, Apr 14, 2010 at 07:58, Jan Wagner <waja at cyconet.org> wrote:
> > On Monday 05 April 2010 10:54:54 Stefan Fritsch wrote:
> >> - it is also possible to use an older openssl, this would just
> >> mean that the new 'SSLInsecureRenegotiation' directive would not
> >> be available (at least I believe that lenny's openssl already
> >> has SNI support). Maybe it would be better not to force people
> >> to update that core library. If you want to go with the older
> >> openssl, just downgrade the build-depends in apache and mention
> >> in the changelog that this removes SSLInsecureRenegotiation.
> >
> > Any news here?
> 
> Well, in our configuration we need SSLInsecureRenegotiation, so I
>  need a more recent openssl. If it's a problem, I can leave
> 
> Jan, are you testing the packages I provided? are you facing any
>  issues?

The openssl from squeeze will disable insecure renegotiation by 
default and will cause problems for some people. For example, it 
breaks tor (IIRC).

I am not too familiar with backports.org. Will packages built in 
backports always be built with the openssl from backports, or only if 
there is a built-dep that cannot be satisfied in the normal lenny? If 
the former, I am against backporting it. If the latter, people have 
the option to just not install it. I am CCing the openssl maintainer, 
in case he wants to add something.

Cheers,
Stefan



More information about the Pkg-openssl-devel mailing list