httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Date Tue, 05 May 2015 17:44:07 GMT
On Tue, May 5, 2015 at 12:35 PM, Eric Covener <covener@gmail.com> wrote:

> On Tue, May 5, 2015 at 1:28 PM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
> > Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> > but will be, soon enough).
> >
> > While I agree md4 is less desirable, if we were going to make a
> > recommendation,
> > I'd go with favoring aes128 over md4 but retain md4 as a backup, in
> forced
> > server
> > preference.  And label this a known-insecure configuration.
>
> Do you mean RC4?  I think the conventional wisdom (of the moment) is
> to remove RC4 completely.
>

Yes - sorry.  I suggest we remove the 'optimized' example altogether, and
will go ahead with that if nobody objects.  We obviously don't keep up.  I
will also duplicate the SSLCipherList to SSLProxyCipherList (all examples
are now in global scope).

I propose we replace the 'optimized' example with the following;

#  Effective 2017, only TLSv1.2 ciphers should be in use.
#  Older ciphers should be disallowed as soon as possible, however
#  much older clients such as IE6 SP2 on XP may still be in use.
#  Replace the SSLCipherSuite and SSLProxyCipherSuite directives
#  above with these directives to restrict mod_ssl to TLSv1.2 ciphers
#  as soon as this is practical.
# SSLCipherSuite TLSv1.2:!eNULL
# SSLProxyCipherSuite TLSv1.2:!eNULL

Thoughts?

Mime
View raw message