httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: H2 compatible ciphers (was: svn commit: r1708593)
Date Fri, 16 Oct 2015 11:36:01 GMT
On 16 Oct 2015, at 12:56 PM, Stefan Eissing <stefan.eissing@greenbytes.de> wrote:

> I am not blacklisting ciphers for the whole server. I try to define
> the security settings required for HTTP/2 as defined in the standard -
> as a configurable directive.
> 
> There is no problem with denying HTTP/2 support for an IE8.

I am wondering whether the cipher blacklist shouldn’t be a configurable list with a default
set of RFC compliant values in the default config file, perhaps with shortcuts like naming
a blacklist after an RFC.

Fitting this in with the existing infrastructure this could be as simple as extending the
SSLCipherSuite directive to support this:

SSLCipherSuite -RFC7540

Maybe this is actually an openssl problem rather than an httpd problem, it could be that openssl
needs to be taught how to blacklist RFC7540 as a group.

Regards,
Graham
—


Mime
View raw message