httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: SSLPolicy
Date Sat, 05 Aug 2017 00:17:26 GMT
If I extrapolate on the idea of what Nick is saying, it sounds like it could be a proposal
to simply define these SSL policies in a macro. Personally, I prefer that approach over adding
another set of directives (but it's a preference, not an opposition). The downside is that
mod_macro would need to be loaded to take advantage of the macros we define. Surely some autoconf
magics could be used that say 'if mod_macro and mod_ssl are compiled, render this set of macros
in the ssl section.'
Daniel Ruggeri

-------- Original Message --------
From: Luca Toscano <>
Sent: August 4, 2017 6:38:16 AM CDT
To: Apache HTTP Server Development List <>,
Subject: Re: SSLPolicy

Hi Nick,

2017-08-04 13:06 GMT+02:00 Nick Gearls <>:

> This can be done using mod_macro without any additional code

my 2c: Stefan's point is to simplify the management of things that have
been done up to now using workarounds and elegant hacks:

> On 04-08-2017 11:26, Stefan Eissing wrote:
>> The Benefits I'd like to achieve with this:
>> A. A name makes it easier to talk about used/recommended configurations.
>> It
>>     also makes it easy for admins to apply a known set of policies. It is
>>     less error prone.
>> B. SSLPolicy definitions can be updated by us or by distributions, since
>> the
>>     config defining the policies need not be edited by the user, e.g. can
>> be
>>     replaced in an update. This way, a broken cipher/protocol can be
>> updated
>>     away in policies we/distributions define. This should help increase
>> security
>>     of https on the internet.
I agree that mod_macro is flexible enough to improve the reusability of
httpd's configuration, but I don't think that the goals that Stefan has in
mind are satisfiable with your proposed solution.


View raw message