httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gillis J. de Nijs" <>
Subject Re: SSLPolicy
Date Sat, 05 Aug 2017 11:28:14 GMT
When you use Let's Encrypt, the default is to
include /etc/letsencrypt/options-ssl-apache.conf in your config.  That's
(presumably) updated whenever you update the certbot package.  Similarly, I
suppose you can just put your own SSL settings in a file that you include.
I was trying some settings, so I have
/etc/apache2/ssl/cipherlist-strong.conf and
/etc/apache2/ssl/mozilla-modern.conf for example.  But I don't think this
allows for merging of policies.

On Sat, Aug 5, 2017 at 2:17 AM, Daniel Ruggeri <> wrote:

> If I extrapolate on the idea of what Nick is saying, it sounds like it
> could be a proposal to simply define these SSL policies in a macro.
> Personally, I prefer that approach over adding another set of directives
> (but it's a preference, not an opposition). The downside is that mod_macro
> would need to be loaded to take advantage of the macros we define. Surely
> some autoconf magics could be used that say 'if mod_macro and mod_ssl are
> compiled, render this set of macros in the ssl section.'
> --
> Daniel Ruggeri
> ------------------------------
> *From:* Luca Toscano <>
> *Sent:* August 4, 2017 6:38:16 AM CDT
> *To:* Apache HTTP Server Development List <>,
> *Subject:* Re: SSLPolicy
> Hi Nick,
> 2017-08-04 13:06 GMT+02:00 Nick Gearls <>:
>> This can be done using mod_macro without any additional code
> my 2c: Stefan's point is to simplify the management of things that have
> been done up to now using workarounds and elegant hacks:
>> On 04-08-2017 11:26, Stefan Eissing wrote:
>>> The Benefits I'd like to achieve with this:
>>> A. A name makes it easier to talk about used/recommended configurations.
>>> It
>>>     also makes it easy for admins to apply a known set of policies. It is
>>>     less error prone.
>>> B. SSLPolicy definitions can be updated by us or by distributions, since
>>> the
>>>     config defining the policies need not be edited by the user, e.g.
>>> can be
>>>     replaced in an update. This way, a broken cipher/protocol can be
>>> updated
>>>     away in policies we/distributions define. This should help increase
>>> security
>>>     of https on the internet.
> I agree that mod_macro is flexible enough to improve the reusability of
> httpd's configuration, but I don't think that the goals that Stefan has in
> mind are satisfiable with your proposed solution.
> Luca

View raw message