httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <>
Subject Re: SSLPolicy
Date Sat, 05 Aug 2017 19:17:00 GMT

> Am 05.08.2017 um 13:28 schrieb Gillis J. de Nijs <>:
> When you use Let's Encrypt, the default is to include /etc/letsencrypt/options-ssl-apache.conf
in your config.  That's (presumably) updated whenever you update the certbot package.  Similarly,
I suppose you can just put your own SSL settings in a file that you include.  I was trying
some settings, so I have /etc/apache2/ssl/cipherlist-strong.conf and /etc/apache2/ssl/mozilla-modern.conf
for example.  But I don't think this allows for merging of policies.

As you might know, I am working on getting Let's Encrypt certificates into Apache natively.
So, I am looking for ways to provide easy SSL configurations for people that ship with Apache
(the configs, not the people). Without affecting any existing configs and without taking anything
away from operators, of course.

> On Sat, Aug 5, 2017 at 2:17 AM, Daniel Ruggeri <> wrote:
> If I extrapolate on the idea of what Nick is saying, it sounds like it could be a proposal
to simply define these SSL policies in a macro. Personally, I prefer that approach over adding
another set of directives (but it's a preference, not an opposition). The downside is that
mod_macro would need to be loaded to take advantage of the macros we define. Surely some autoconf
magics could be used that say 'if mod_macro and mod_ssl are compiled, render this set of macros
in the ssl section.'
> -- 
> Daniel Ruggeri
> From: Luca Toscano <>
> Sent: August 4, 2017 6:38:16 AM CDT
> To: Apache HTTP Server Development List <>,
> Subject: Re: SSLPolicy
> Hi Nick,
> 2017-08-04 13:06 GMT+02:00 Nick Gearls <>:
> This can be done using mod_macro without any additional code
> my 2c: Stefan's point is to simplify the management of things that have been done up
to now using workarounds and elegant hacks:
> On 04-08-2017 11:26, Stefan Eissing wrote:
> The Benefits I'd like to achieve with this:
> A. A name makes it easier to talk about used/recommended configurations. It
>     also makes it easy for admins to apply a known set of policies. It is
>     less error prone.
> B. SSLPolicy definitions can be updated by us or by distributions, since the
>     config defining the policies need not be edited by the user, e.g. can be
>     replaced in an update. This way, a broken cipher/protocol can be updated
>     away in policies we/distributions define. This should help increase security
>     of https on the internet.
> I agree that mod_macro is flexible enough to improve the reusability of httpd's configuration,
but I don't think that the goals that Stefan has in mind are satisfiable with your proposed
> Luca 

View raw message