httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: SSL/TLS best current practice
Date Wed, 27 May 2015 16:10:33 GMT
On Wed, May 27, 2015 at 5:58 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> On Tue, May 26, 2015 at 11:45 AM, Andy Wang <awang@ptc.com> wrote:
>>
>> I initially thought openssl disabled the NULL ones by default but when i
>> started playing with openssl cipher strings and saw them I got confused.
>> Didn't even consider that httpd did it automatically.  Documenting it would
>> be a nice touch. Thanks for doing that.
>
>
> As it turns out, 0.9.2b disabled aNULL/eNULL by default.

Yes, if you don't specify any ciphersuite (ie. no SSLCipherSuite in httpd).

>  Export ciphers are
> disabled by default as of 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.

AFAICT, they are not even selectable (not in ALL and EXP is ignored)...

>
> Here's my proposed comment to inject in trunk/2.4/2.2 default httpd-ssl.conf
> - any adjustments here?
>
> # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
> # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.

+1

Mime
View raw message