Re: Upgrading to httpd 2.4 and documentation - Any missing info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

You're probably right. What scared them into disabling all the unsafe ciphers was an ssllabs report showing a grade of F in combination with am arstechnica article on how cheap it is to use an Amazon cloud account to crack export cipher suites.
They respect me, I found holes in several WordPress plugins they were using and helped them fix those, but they have a "long relationship" with the hosting company. 

On 03/15/2016 02:44 PM, Robert Mattson wrote:

Hi Michael,

It might be a bit of fun to download Kali or OpenVAS. I think both come as complete virtual-machines.
Handing them the automated scan report might raise a few eye-brows.

Most of all its important to remember to have fun!

Rob

Sent from a mobile device, typos are to be expected.


On 15 Mar 2016, at 6:52 PM, Michael A. Peters <mpeters@xxxxxxxxxxxxxx> wrote:


On 03/15/2016 12:23 AM, Luca Toscano wrote:
Hi Apache users!

A while ago there was an interesting discussion on the dev@ mailing list
about the adoption percentage of httpd 2.2 vs 2.4, and I was wondering
if the people that have not upgraded yet have suggestion about whether
or not the documentation needs any improvement to facilitate the process.

The 2.4 release is the only one actively developed and it offers tons of
new features compared to 2.2, among them:

- HTTP/2 support (https://httpd.apache.org/docs/2.4/mod/mod_http2.html)
- <If>/<Else> directives (http://httpd.apache.org/docs/2.4/mod/core.html#if)
- lua scripts support (https://httpd.apache.org/docs/2.4/mod/mod_lua.html)
- most up to date version of the event mpm
(https://httpd.apache.org/docs/2.4/mod/event.html)
- most up to date version of mod_ssl
- a lot of bug fixes!

I understand that a lot of you have complex and difficult environments
to migrate, but it would be great to extend the 2.4 release as much as
possible. Are there any gap in documentation or anything else that we
can help with to ease the process?

Let me know!

Luca


Thank you for the effort.

A business I am a customer of runs 1.x on all their web servers and I have been trying to get them to update to 2.x for years.

When they use TLS it is ben-ssl with export ciphers and I *finally* got them to turn off all the dangerous ciphers and only allow tls 1.0 but the excuse they keep giving me is "our hosting company says the version we have is secure"

I don't understand how a version that hasn't received upstream updates for years can be considered "secure" - lazy hosting company.

I would love to see better 2.4.x adoption, especially now that it supports HTTP/2.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux