httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: svn commit: r966055 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
Date Wed, 21 Jul 2010 10:59:30 GMT


+SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
Reminds me a bit of: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/

Can't we simplify that to:

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5

Since it's basically the same:

i.galic@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'|md5sum
-
c1977a5b8a9cea42329be929398c6941  -
i.galic@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL'
| md5sum -
c1977a5b8a9cea42329be929398c6941  -

OpenSSL experts might want to disagree with me at this point.

Bye,
i

----- "Rainer Jung" <rainer.jung@kippdata.de> wrote:

> On 21.07.2010 01:33, gstein@apache.org wrote:
> > Author: gstein
> > Date: Tue Jul 20 23:33:18 2010
> > New Revision: 966055
> >
> > URL: http://svn.apache.org/viewvc?rev=966055&view=rev
> > Log:
> > Fix up some SSL configuration, per issue #49484. IE6 had a hotfix
> released
> > for this problem quite a while back (see kb 921090), so restrict
> the
> > modified behavior to the old/unsupported browsers.
> >
> > * docs/conf/extra/http-ssl.conf.in:
> >    (): tighten up the regex to only select old MSIE browsers for
> the
> >      downgrade in http behavior. this allows IE6 to run much
> faster.
> >
> > Modified:
> >      httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
> >
> > Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
> > URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=966055&r1=966054&r2=966055&view=diff
> >
> ==============================================================================
> > --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
> > +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Tue Jul 20
> 23:33:18 2010
> > @@ -218,7 +218,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/
> >   #   Similarly, one has to force some clients to use HTTP/1.0 to
> workaround
> >   #   their broken HTTP/1.1 implementation. Use variables
> "downgrade-1.0" and
> >   #   "force-response-1.0" for this.
> > -BrowserMatch ".*MSIE.*" \
> > +BrowserMatch ".*MSIE [1-5].*" \
> >            nokeepalive ssl-unclean-shutdown \
> >            downgrade-1.0 force-response-1.0
> 
> There was a discussion[1,2] at some ApacheCon about improving defaults
> 
> for this BrowserMatch (and for SSLCipherSuite). The discussion ended 
> with the suggestion:
> 
> BrowserMatch "MSIE" ssl-unclean-shutdown
> BrowserMatch "MSIE [2-5]" nokeepalive downgrade-1.0
> force-response-1.0
> 
> So should we keep "ssl-unclean-shutdown" for all MSIE versions?
> 
> Regards,
> 
> Rainer
> 
> [1] http://marc.info/?t=125754163900002&r=1&w=2
> [2] http://marc.info/?t=125754970200003&r=1&w=2

-- 
Igor Galić

Tel: +43 (0) 699 122 96 338
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

Mime
View raw message