Re: Apache/PHP Installation - opinions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 04/27/2016 07:50 PM, Alice Wonder wrote:
On 04/27/2016 12:41 AM, Alice Wonder wrote:
On 04/27/2016 12:30 AM, James Hogarth wrote:
*snip*

Unless you have a very specific requirement for a very bleeding edge
feature it's fundamentally a terrible idea to move away from the
distribution packages in something as exposed as a webserver ...

I use to believe that.

However I no longer.

First of all, advancements in TLS happen too quickly.

The RHEL philosophy of keeping API stability for as long as the release
is supported means you end up running old protocols and old cipher
suites and don't have the new protocols and cipher suites available.

That's a problem.

With respect to Apache and PHP -

There is a lot of benefit to HTTP/2 but you can't get that with the
stock Apache in RHEL / CentOS 7. You just can't.

The PHP in stock RHEL / CentOS is so old that web application developers
largely are not even using it anymore, resulting in some web
applications that just simply don't work unless you update the PHP to
something more modern.

It's a nice idealistic philosophy to want to keep the same versions and
backport security fixes and keep everything API compatible but in real
world practice, it makes your server stale.

Another example outside of LAMP

Postfix -

The postfix that ships with CentOS 7 does not have the ability to enforce DANE.

If you are not sure what that is -

On mt DNS server, I can (and do) post a fingerprint of the TLS keys used by my smtp server.

When other mail servers want to send an e-mail to my server, they can do a DNS query and if I have a DANE record, then they can require that that the TLS connection they make to my SMTP server uses a certificate with a fingerprint that matches.

That is the only reliable way to avoid MITM with SMTP.

It's easy to set up in postfix -

smtp_dns_support_level = dnssec
smtp_host_lookup = dns

Sounds good, but how many domain MX servers have set up these fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it uses it if available. So even if you do post it on your DNS, how many clients out there are using DANE on their set up? By the time it becomes more than a tiny % and generally useful, it will be in CentOS 8. It also requires certificates to be implemented more ubiquitously than at present - although we do now have affordable solutions, so this one may resolve more quickly.
But with the postfix that comes with CentOS 7 - it is too old for that, so Postfix with CentOS 7 will never even try to verify the TLS certificate of the servers it connects to.

It's a stale version of postfix and people running postfix on CentOS 7 should use a newer version.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux