[Info-vax] OpenSSL CSWS-2.2-1

[Arne Vajhøj]

On 4/6/2019 12:19 PM, Arne Vajhøj wrote:
> On 4/6/2019 12:16 PM, Arne Vajhøj wrote:
>> On 4/6/2019 8:32 AM, Neil Rieck wrote:
>>> Strictly as an emergency backup plan, I've been working on trial to 
>>> replace CSWS-2.2-1 with WASD-11.
>>>
>>> For example, if my ~1,200 clients begin to use new browsers next 
>>> year, they might not be able to connect to my current system so I 
>>> have got to do something now. But that got me thinking about another 
>>> problem: we are receiving B2B SOAP transactions from a system in 
>>> Montreal (another company) which currently relies on SSLv3. If I 
>>> upgrade my web-server to something that doesn't offer SSLv3 (because 
>>> it hasn't been compiled into Apache's mod_ssl, or I've linked WASD to 
>>> an SSL library that is too restrictive) then I'm not going to be able 
>>> to receive those B2B SOAP connections.
>>>
>>> After a restless night of sleep it occurred to me that many other 
>>> systems are also going to run into this situation but no one seems to 
>>> be talking about it (at least not in the way they talked about Y2K). 
>>> So I have decided to call this problem "Y2K20" and have placed some 
>>> preliminary notes here:
>>>
>>> http://neilrieck.net/docs/calendar_time_y2k_etc.html#y2k20
>>
>> I don't know how general the problem is.
>>
>> OpenSSL and Apache httpd are open source.
>>
>> You can build OpenSSL with the protocols you want.
>>
>> In Apache config you can enable and disable the protocols you want.
> 
> Besides that then I would consider not serving static content and
> web services from same server.
> 
> exposed web 1 serving static content
> exposed web 2 web services
> 
> or
> 
> exposed web 1 serving static content and proxy to web 2
> internal web 2 web services
> 
> or similar.

If your security people are strict they may insist on:

exposed web 0 proxy to web 1 and web 2
internal web 1 serving static content
internal web 2 web services

Arne