httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: SSL and Usability and Safety
Date Wed, 03 May 2017 09:46:43 GMT
On 3 May 2017, at 10:03, Issac Goldstand <margol@beamartyr.net> wrote:
> 
> +1 on the idea
> 
> So far I'm -0 about all of the proposed implementations for 2 reasons:
> 
> 1) Mr and Mrs normal (whom are our primary customers in the original
> proposal) usually download Apache from their distro or some other
> binary.  Their Apache sources are usually not up-to-date, and in the
> scenario that a new vulnerability is found it would take ages to
> propagate to them, anyway
> 
> 2) For those users who are comfortable building their own source, they
 ….

So how about ‘us’ taking the lead here. 

We, here, simply define ‘one’ setting as the industry best standard - which roughly corresponds
to what ssllabs their test would get you an A+ and that pretty much meets or exceeds the various
NIST et.al. recommendations for key lengths for the next 5 years. 

We’d wrap this into a simple policy document. Promise ourselfves that we’d check this
every release and at least once a year review it. And have a small list of the versions currently
meeting or exceeding our policy.

And this is the setting you get when you do ‘SSLEngine On’.

Everything else stays as is.

Dw


Mime
View raw message