httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gillis J. de Nijs" <gil...@jink.net>
Subject Re: SSLPolicy
Date Sat, 05 Aug 2017 11:28:14 GMT
When you use Let's Encrypt, the default is to
include /etc/letsencrypt/options-ssl-apache.conf in your config.  That's
(presumably) updated whenever you update the certbot package.  Similarly, I
suppose you can just put your own SSL settings in a file that you include.
I was trying some settings, so I have
/etc/apache2/ssl/cipherlist-strong.conf and
/etc/apache2/ssl/mozilla-modern.conf for example.  But I don't think this
allows for merging of policies.

On Sat, Aug 5, 2017 at 2:17 AM, Daniel Ruggeri <druggeri@primary.net> wrote:

> If I extrapolate on the idea of what Nick is saying, it sounds like it
> could be a proposal to simply define these SSL policies in a macro.
> Personally, I prefer that approach over adding another set of directives
> (but it's a preference, not an opposition). The downside is that mod_macro
> would need to be loaded to take advantage of the macros we define. Surely
> some autoconf magics could be used that say 'if mod_macro and mod_ssl are
> compiled, render this set of macros in the ssl section.'
> --
> Daniel Ruggeri
>
> ------------------------------
> *From:* Luca Toscano <toscano.luca@gmail.com>
> *Sent:* August 4, 2017 6:38:16 AM CDT
> *To:* Apache HTTP Server Development List <dev@httpd.apache.org>,
> nickgearls@gmail.com
> *Subject:* Re: SSLPolicy
>
> Hi Nick,
>
> 2017-08-04 13:06 GMT+02:00 Nick Gearls <nickgearls@gmail.com>:
>
>> This can be done using mod_macro without any additional code
>
>
> my 2c: Stefan's point is to simplify the management of things that have
> been done up to now using workarounds and elegant hacks:
>
>
>> On 04-08-2017 11:26, Stefan Eissing wrote:
>>>
>>>
>>> The Benefits I'd like to achieve with this:
>>> A. A name makes it easier to talk about used/recommended configurations.
>>> It
>>>     also makes it easy for admins to apply a known set of policies. It is
>>>     less error prone.
>>> B. SSLPolicy definitions can be updated by us or by distributions, since
>>> the
>>>     config defining the policies need not be edited by the user, e.g.
>>> can be
>>>     replaced in an update. This way, a broken cipher/protocol can be
>>> updated
>>>     away in policies we/distributions define. This should help increase
>>> security
>>>     of https on the internet.
>>>
>>
> I agree that mod_macro is flexible enough to improve the reusability of
> httpd's configuration, but I don't think that the goals that Stefan has in
> mind are satisfiable with your proposed solution.
>
> Luca
>

Mime
View raw message