Return-Path: <dev-return-89411-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 9832B200CA3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  3 May 2017 02:29:13 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 96C6A160BAC; Wed,  3 May 2017 00:29:13 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 8DA61160B9D
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  3 May 2017 02:29:12 +0200 (CEST)
Received: (qmail 27340 invoked by uid 500); 3 May 2017 00:29:11 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 27330 invoked by uid 99); 3 May 2017 00:29:11 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 May 2017 00:29:11 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3D6601A0666
	for <dev@httpd.apache.org>; Wed,  3 May 2017 00:29:11 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.898
X-Spam-Level: *
X-Spam-Status: No, score=1.898 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
	SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=sharp.fm
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id y5RXz3BeiQZW for <dev@httpd.apache.org>;
	Wed,  3 May 2017 00:29:09 +0000 (UTC)
Received: from chandler.sharp.fm (chandler.sharp.fm [80.168.143.3])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 767B45FC96
	for <dev@httpd.apache.org>; Wed,  3 May 2017 00:29:09 +0000 (UTC)
Received: from [192.168.220.152] (unknown [192.168.220.152])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: minfrin@sharp.fm)
	by chandler.sharp.fm (Postfix) with ESMTPSA id 1A2FF68561
	for <dev@httpd.apache.org>; Wed,  3 May 2017 01:19:50 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 chandler.sharp.fm 1A2FF68561
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharp.fm; s=default;
	t=1493770790; bh=Bdz21/CUFRGOiHZd9//YcW5ytUIv52W7x1YuBcNBf3E=;
	h=From:Subject:Date:References:To:In-Reply-To:From;
	b=dyqImsR9DjGlN9vP4GmAJkmlY09KFe4i8tt3m1Ipsxn15UvkflmYCbLirep5Rc6tC
	 OnAJgqlqQ0yDJvsSDOVWvaXH+RsvoIpG66hbBSmnCQWxbENcmwsc7Zh7zqAKTwEqi/
	 NM3WgEtM57bLdO7acVIDgOiO6KQ5QeCyl2SfGKvQ=
From: Graham Leggett <minfrin@sharp.fm>
Content-Type: multipart/signed;
 boundary="Apple-Mail=_B878F2C6-2BFD-431C-A6FA-5C22B1811B4F";
 protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: SSL and Usability and Safety
Date: Wed, 3 May 2017 02:29:02 +0200
References: <C89196B3-2171-4D7C-BEB4-31E758763D41@greenbytes.de>
To: dev@httpd.apache.org
In-Reply-To: <C89196B3-2171-4D7C-BEB4-31E758763D41@greenbytes.de>
Message-Id: <D5B48CE3-4838-4D18-8D5A-254D3139B7BA@sharp.fm>
X-Mailer: Apple Mail (2.3273)
archived-at: Wed, 03 May 2017 00:29:13 -0000


--Apple-Mail=_B878F2C6-2BFD-431C-A6FA-5C22B1811B4F
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_ECF9989E-7368-4A03-8B6C-CA548A008080"


--Apple-Mail=_ECF9989E-7368-4A03-8B6C-CA548A008080
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

On 02 May 2017, at 3:19 PM, Stefan Eissing =
<stefan.eissing@greenbytes.de> wrote:

> How can we help Mr and Ms Normal to stay up to date on these things?
>=20
> - We cannot rewrite their config unasked. We need to be backward =
compatible.
> - Our defaults nowadays are dangerously unsafe, so users MUST do their =
own settings.
>=20
> I advocate that we need (yet another!) SSL directive where =
administrators can declare their *intent*.
>=20
> A. "I want my site safe and usable with modern browsers!"
> B. "I want a safe setting, but people with slightly out-dated clients =
should be served as well."
> C. "I sadly need compatibility to some very old clients.=E2=80=9D

This makes a lot of sense, and there is a lot of precedent for this.

AWS load balancers take an =E2=80=9Cintent=E2=80=9D policy string based =
on a date, with the option of a =E2=80=9Cdefault=E2=80=9D value:

=
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-=
update.html
------------------------------------------
|      DescribeLoadBalancerPolicies      |
+----------------------------------------+
|               PolicyName               |
+----------------------------------------+
|  ELBSecurityPolicy-2016-08             |
|  ELBSecurityPolicy-2015-05             |
|  ELBSecurityPolicy-2015-03             |
|  ELBSecurityPolicy-2015-02             |
|  ELBSecurityPolicy-2014-10             |
|  ELBSecurityPolicy-2014-01             |
|  ELBSecurityPolicy-2011-08             |
|  ELBSample-ELBDefaultCipherPolicy      |
|  ELBSample-OpenSSLDefaultCipherPolicy  |
+----------------------------------------+
Implementation wise, we could have a directive that is used to select =
the default values of various parameters, for example:

SSLSecurityLevel latest

or

SSLSecurityLevel 2017-05

Regards,
Graham
=E2=80=94


--Apple-Mail=_ECF9989E-7368-4A03-8B6C-CA548A008080
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">On 02 May 2017, at 3:19 PM, Stefan Eissing &lt;<a =
href=3D"mailto:stefan.eissing@greenbytes.de" =
class=3D"">stefan.eissing@greenbytes.de</a>&gt; wrote:<div class=3D""><br =
class=3D""><div class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D""><div class=3D"">How can we help Mr and Ms Normal to stay up =
to date on these things?<br class=3D""><br class=3D"">- We cannot =
rewrite their config unasked. We need to be backward compatible.<br =
class=3D"">- Our defaults nowadays are dangerously unsafe, so users MUST =
do their own settings.<br class=3D""><br class=3D"">I advocate that we =
need (yet another!) SSL directive where administrators can declare their =
*intent*.<br class=3D""><br class=3D"">A. "I want my site safe and =
usable with modern browsers!"<br class=3D"">B. "I want a safe setting, =
but people with slightly out-dated clients should be served as well."<br =
class=3D"">C. "I sadly need compatibility to some very old =
clients.=E2=80=9D</div></div></blockquote><div><br =
class=3D""></div><div>This makes a lot of sense, and there is a lot of =
precedent for this.</div><div><br class=3D""></div><div>AWS load =
balancers take an =E2=80=9Cintent=E2=80=9D policy string based on a =
date, with the option of a =E2=80=9Cdefault=E2=80=9D =
value:</div><div><br class=3D""></div><div><a =
href=3D"http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl=
-config-update.html" =
class=3D"">http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/=
ssl-config-update.html</a></div><div><pre class=3D"programlisting"><code =
class=3D" nohighlight">------------------------------------------
|      DescribeLoadBalancerPolicies      |
+----------------------------------------+
|               PolicyName               |
+----------------------------------------+
|  ELBSecurityPolicy-2016-08             |
|  ELBSecurityPolicy-2015-05             |
|  ELBSecurityPolicy-2015-03             |
|  ELBSecurityPolicy-2015-02             |
|  ELBSecurityPolicy-2014-10             |
|  ELBSecurityPolicy-2014-01             |
|  ELBSecurityPolicy-2011-08             |
|  ELBSample-ELBDefaultCipherPolicy      |
|  ELBSample-OpenSSLDefaultCipherPolicy  |
+----------------------------------------+</code></pre><div =
class=3D"">Implementation wise, we could have a directive that is used =
to select the default values of various parameters, for =
example:</div><div class=3D""><br class=3D""></div><div =
class=3D"">SSLSecurityLevel latest</div><div class=3D""><br =
class=3D""></div><div class=3D"">or</div><div class=3D""><br =
class=3D""></div><div class=3D"">SSLSecurityLevel 2017-05</div><div =
class=3D""><br class=3D""></div><div class=3D"">Regards,</div><div =
class=3D"">Graham</div><div class=3D"">=E2=80=94</div><div class=3D""><br =
class=3D""></div></div></div></div></div></body></html>=

--Apple-Mail=_ECF9989E-7368-4A03-8B6C-CA548A008080--

--Apple-Mail=_B878F2C6-2BFD-431C-A6FA-5C22B1811B4F
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJkjCCBFow
ggNCoAMCAQICDkfDEAAYncBBHJ8+VGhBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJFMRkw
FwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9i
YWxTaWduIFJvb3QgQ0EwHhcNMTYwMzE2MDAwMDAwWhcNMjQwMzE2MDAwMDAwWjBUMQswCQYDVQQG
EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEqMCgGA1UEAxMhR2xvYmFsU2lnbiBQZXJz
b25hbFNpZ24gMiBDQSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApI90W+tZ
9DTdJalYb0LA6KxKGbAN8CYt8Zz1ldd90svVqx8iWOplKLb200obaswQ/emJx0QziEY16MAA1tsj
jRZXO1BDtPq6jrEykHbfNe2BkjnBORpUPme4GAuuaINWPijjlvjwj6WkXWDlqjsN9tbtm6le9dcF
vF/AgOSciXaV37QbpXvScullUkwvNXhOriD63bM5SoM26OuMP2yUlfmUKf6N8EVazi3jYcVcqdhU
5sZBUhmDuskqpIGaLu0TQnZTMWNPro96L/8805Y6BERW4ZBcEC4syOh16thPqVmw16CRVQ6N7X4i
R7c+xGoYIlHsFbqeLfRl7tlROzzUiQIDAQABo4IBJTCCASEwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFGQ3lbeBRONanXgssgNROZ29AclRMB8GA1UdIwQYMBaA
FGB7ZhpFDZfKiVAvfQTNNKj//P1LMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDov
L29jc3AuZ2xvYmFsc2lnbi5jb20vcm9vdHIxMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
Z2xvYmFsc2lnbi5jb20vcm9vdC5jcmwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEW
Jmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBBQUAA4IB
AQDK7tBLBj4Qa27yvrg59zX4b9mxSyulTdlWJH413FkTcsLEVRoTanOoBiqVfDV7cGr4XT1gziy7
anNStIT64/HjTZPYcrbEABmCyGlXR39ht/zMjqH23LXm2o6Yk464t9eN+BoCBfRwsqmC7cFvyxFQ
wm5wfwQYa0EV7ObwGyUFdLALmRSscvhxlXe+l7/YjdYodbxGQ73d7+Loo+fFpboUYmzIZPXA489W
WKwAOM0n6GpCAvuFfFhQHLUH+/6ooceSQQlrX4l52jkfqqmZ95/AUSR0YUlj6UW8653iQspU+YLO
+sxOIqUi+ASGZ58eBeHnIn+RQ9BRSe27/xAkj/4tMIIFMDCCBBigAwIBAgIMZA5q7n651Y54SO7S
MA0GCSqGSIb3DQEBBQUAMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNh
MSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiAyIENBIC0gRzMwHhcNMTYxMDAyMjIw
MzU1WhcNMTkxMjI3MjExMjI2WjCBizELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0G
A1UEBxMGTG9uZG9uMSAwHgYDVQQKExdQZXBwZXJwb3QgTWVkaWEgTGltaXRlZDEXMBUGA1UEAxMO
R3JhaGFtIExlZ2dldHQxHzAdBgkqhkiG9w0BCQEWEG1pbmZyaW5Ac2hhcnAuZm0wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/PUGcalLpGPw7MDbcDkwtkjhw2s2e0SI+tFmGHcv4DSOe
hABLH2p6ZiwefzkRWpYq7TU6u2woGgcLj0APygZK+Iqd8qZOLYMCRGktEvd0lZ3XOlyimx1Ryj9U
gJ9HzyMkwSCNMqruQeeb2CFV8d9MJfDKF9kJSgLl/bTzok4WW8JT+3zVYA8yd7SPV6TbBq+qv6JI
UmkOvQ5gMBjiONU+yWBs16KPNNXO+YRNFfoJ5BWi8o+zPK2rBuF/JL7Vp/y4jLMqih+F0zogdvcq
eeNdi0OK4Re1v/7+/KQh6f05HFZmttUx1cW0ctnI9bOJW9aVwSyMV/uom9QOjbV+RDFJAgMBAAGj
ggHIMIIBxDAOBgNVHQ8BAf8EBAMCBaAwgZYGCCsGAQUFBwEBBIGJMIGGMEkGCCsGAQUFBzAChj1o
dHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3BlcnNvbmFsc2lnbjJnM29jc3Au
Y3J0MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNp
Z24yZzMwTQYDVR0gBEYwRDBCBgorBgEEAaAyASgKMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwQwYDVR0fBDwwOjA4oDagNIYy
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc3BlcnNvbmFsc2lnbjJnMy5jcmwwGwYDVR0R
BBQwEoEQbWluZnJpbkBzaGFycC5mbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYD
VR0OBBYEFJh++Vtb6wHW9L+6XkWLTDNsn+O5MB8GA1UdIwQYMBaAFGQ3lbeBRONanXgssgNROZ29
AclRMA0GCSqGSIb3DQEBBQUAA4IBAQCZvvCBwBIdjXZ8nLQ3nFmKt1rC/Qj9ey4afRxD6vUJ4+6h
h5E4G642uyfmUepQzOfPQL28c6sd8BsbuyoyNzcpDuxQyNAG0GIvtdp3g8CapsXKNCZ2QvpIE1uN
gDdQhS6uj4Iw6BVpV3cklsTZzwULMV6mpYXMG4kDQtKxXQj7QByrbJEk+TDuoaYn5AAiz7AQwsiC
Gyqe6PnVMWbh4cKdAvN/SztmvL4f7+dmEcwyWHyIaZYyG1ctQYxjFlydHUaDE8RJDoT/SsQZWNVq
r3yj2jgLFpFsHGzyW/ueaZIA5fs048SLZf75AVFOE892MhQ6TQ7oD7oagtb0O7gGM/QFMYIC2DCC
AtQCAQEwZDBUMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEqMCgGA1UE
AxMhR2xvYmFsU2lnbiBQZXJzb25hbFNpZ24gMiBDQSAtIEczAgxkDmrufrnVjnhI7tIwCQYFKw4D
AhoFAKCCAUkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcwNTAz
MDAyOTAzWjAjBgkqhkiG9w0BCQQxFgQUhLIYji6O7qDUMEdBwdk4HzaUmS4wcwYJKwYBBAGCNxAE
MWYwZDBUMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEqMCgGA1UEAxMh
R2xvYmFsU2lnbiBQZXJzb25hbFNpZ24gMiBDQSAtIEczAgxkDmrufrnVjnhI7tIwdQYLKoZIhvcN
AQkQAgsxZqBkMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYD
VQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiAyIENBIC0gRzMCDGQOau5+udWOeEju0jANBgkq
hkiG9w0BAQEFAASCAQCToOoykkmaT/t/bUaohgQLZ1nRyO34xv1TYwrTG/xD0SPnAFI0gMdJQ5Pt
THour33ClEH69UHtxhdBYMqLflJ/2utJytsuXGrBHeBVsRbW/+AggXgtcTdWCsbT4NFszyoScBgA
G+fzG3jjcVOLu9b15/Z01nbbVBBRE+QtiFIZ6CHrHbHCOZWVHoh8OjZET738Zpk/86gM5WZWpkfc
L8xNdM8/gouwHaWCo2s0NdZH7q8vD13IFrsdjqt3HVJeHrULkF2JPvLP1zPtIR3vyVWiNThc9Zne
MU2yb0tApTYgOvnR0TYne8qbVzFaU9Do8lGWekRKg2GaqywrXF0x+VKpAAAAAAAA
--Apple-Mail=_B878F2C6-2BFD-431C-A6FA-5C22B1811B4F--