Have a look at
http://mail-archives.apache.org/mod_mbox/httpd-dev/200511.mbox/%3c20051122135629.03A2882D02@cmcodec02.st1.spray.net%3e
> -----Original Message-----
> From: Ivan Ristic
> Sent: Donnerstag, 26. November 2009 15:26
> To: dev@httpd.apache.org
> Subject: Re: better SSL defaults in 2.4
>
> Speaking of the SSL defaults, has anyone come up with
> something better than:
>
> BrowserMatch ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> Is anyone aware of any good reference that documents why the above
> code was added, and perhaps also explains how to test and what exactly
> the consequences of not using the snippet are?
>
> I am willing to test recent IE versions to see how they behave, but
> it'd be nice if I could have a decent starting point.
>
>
> On Wed, Nov 18, 2009 at 2:54 PM, Jeff Trawick
> <trawick@gmail.com> wrote:
> > enable session cache by default?
> >
> > change SSLMutex default to "SSLMutex default" instead of
> "SSLMutex none"?
> > (does this default to "none" to avoid checking if a session cache is
> > enabled before creating the mutex?)
>
> --
> Ivan Ristic
> ModSecurity Handbook [https://www.feistyduck.com]
> SSL Labs [https://www.ssllabs.com/ssldb/]
>
|