httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: SSL Policy Definitions
Date Wed, 03 May 2017 12:25:01 GMT

> On 3 May 2017, at 14:09, Graham Leggett <> wrote:
> On 03 May 2017, at 2:01 PM, Stefan Eissing <> wrote:
>> We seem to all agree that a definition in code alone will not be good enough. People
need to be able to see what is actually in effect.
> I think we’re overthinking this.
> We only need to document the settings that SSLSecurityLevel has clearly in our docs,
and make sure that "httpd -L” prints out the exact details so no user need ever get confused.
>> If we let users define their own classes, it could look like this:
> Immediately we’ve jumped into functionality that is beyond Mr/Mrs Normal.

Agreed. If our default is simply ‘industry best practice’ (i.e. what we say it is*) —
then Normal will be the new black.

And everyone else is still in the same boat - i.e. having to specify it just like they do

All that requires it to make the defaults sane.


*: exceed NIST and <> for 5+ years,
PFS, A or better at SSLLabs.

View raw message