httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Improving SSL config
Date Sat, 19 Nov 2011 06:59:15 GMT
On 18.11.2011 18:47, Rainer Jung wrote:
> Fine with me. Current SSLCipherSuite for 2.2 definitely needs 
> improvement and latest 2.4 should be the way to go.
> 
> Except: Since SSLv2 is still available for 2.2, the -SSLv2 is needed in 
> the cipher list.
> 
> Please feel free to go ahead an remove my proposal.

Ok, done (r1203962). There's no need to have -SSLv2 in SSLCipherSuite,
because "!MD5" will already blow away all those ciphers (SSLv2 only uses
MD5).

What makes sense, OTOH, is adding "SSLProtocol all -SSLv2" to the 2.2.x
config - this makes sure that SSLv2 isn't used even if an admin later
changes the cipher list and "accidentally" reintroduces SSLv2 ciphers.

Kaspar

Mime
View raw message