httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: svn commit: r1824465 - /httpd/httpd/patches/2.4.x/mod_ssl_policy.diff
Date Mon, 19 Feb 2018 09:54:02 GMT
On Mon, Feb 19, 2018 at 10:42 AM, Stefan Eissing
<> wrote:
> After pondering your comments and questions a bit over the weekend, I decided to
> withdraw the backport proposal for 2.4.x. Instead, I will simplify SSLPolicy in
> trunk and propose a backport for the next release.
> My current thinking is to get rid of "<SSLPolicyDefine>" and just introduce
> a fixed "SSLPolicy modern|intermediate|old" which is updated from the Mozilla
> definitions of these terms (a script for that is already in modules/ssl). This
> will only apply to the client facing SSL properties.
> "SSLPolicy" will then just act as a normal SSL configuration directive, that
> sets a defined number of parameters. Those parameters will get updated in our
> releases (and by distros if they want to update a LTS version with a more secure
> setting).
> If can be overridden by site admins, just like any other directive. The configuration
>    SSLProtocol all
>    SSLPolicy modern
> would just enable TLSv1.2 (and newer), while
>    SSLPolicy modern
>    SSLProtocol +TLSv1.3
> would override it.

Looks good to me.

The all in one defined policy is interesting still, let's take the
time to think more about it.
It could possibly be implemented as macros too, no?


View raw message