On 04/27/2016 12:41 AM, Alice Wonder wrote: > On 04/27/2016 12:30 AM, James Hogarth wrote: > *snip* >> >> Unless you have a very specific requirement for a very bleeding edge >> feature it's fundamentally a terrible idea to move away from the >> distribution packages in something as exposed as a webserver ... > > I use to believe that. > > However I no longer. > > First of all, advancements in TLS happen too quickly. > > The RHEL philosophy of keeping API stability for as long as the release > is supported means you end up running old protocols and old cipher > suites and don't have the new protocols and cipher suites available. > > That's a problem. > > With respect to Apache and PHP - > > There is a lot of benefit to HTTP/2 but you can't get that with the > stock Apache in RHEL / CentOS 7. You just can't. > > The PHP in stock RHEL / CentOS is so old that web application developers > largely are not even using it anymore, resulting in some web > applications that just simply don't work unless you update the PHP to > something more modern. > > It's a nice idealistic philosophy to want to keep the same versions and > backport security fixes and keep everything API compatible but in real > world practice, it makes your server stale. Another example outside of LAMP Postfix - The postfix that ships with CentOS 7 does not have the ability to enforce DANE. If you are not sure what that is - On mt DNS server, I can (and do) post a fingerprint of the TLS keys used by my smtp server. When other mail servers want to send an e-mail to my server, they can do a DNS query and if I have a DANE record, then they can require that that the TLS connection they make to my SMTP server uses a certificate with a fingerprint that matches. That is the only reliable way to avoid MITM with SMTP. It's easy to set up in postfix - smtp_dns_support_level = dnssec smtp_host_lookup = dns But with the postfix that comes with CentOS 7 - it is too old for that, so Postfix with CentOS 7 will never even try to verify the TLS certificate of the servers it connects to. It's a stale version of postfix and people running postfix on CentOS 7 should use a newer version.