httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Improving SSL config
Date Fri, 18 Nov 2011 05:33:47 GMT
On 17.11.2011 13:18, Nick Gearls wrote:
> Isn't it safer to only accept explicit entries, like
> 
> SSLCipherSuite -ALL:RC4-SHA:AES128-SHA:TLSv1+HIGH:SSLv3+HIGH:-aNULL
> SSLProtocol    -ALL +SSLv3 +TLSv1

It depends on the directive. For SSLCipherSuite, the string is just
passed verbatim to SSL_CTX_set_cipher_list(), so it's OpenSSL's behavior
which is relevant. In this case, saying "-ALL:HIGH" is the same as
saying "HIGH" only.

SSLProtocol, on the other hand, is handled by mod_ssl itself, and if you
want to turn on multiple protocols with "+" (instead of just configuring
a single one, like "SSLProtocol TLSv1"), then that's indeed a valid
reason for starting with "-all". But now, after having dropped SSLv2
support in r1203491/r1203495, "all" simply stands for "+SSLv3 +TLSv1",
so we might just leave the default config as is - i.e., not have any
SSLProtocol directive in docs/conf/extra/httpd-ssl.conf.

Kaspar

Mime
View raw message