httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: Requesting review for SSL how-to changes (r1757280)
Date Thu, 25 Aug 2016 22:56:18 GMT
On Fri, Aug 26, 2016 at 12:34 AM, William A Rowe Jr <> wrote:
> Exclusion lists are far preferable to allow lists. .conf files seem to
> persist for
> a decade and longer. There is no anticipating what will be added to the list
> of unwise ciphers a year from now, but that goes for an explicit list or for
> an
> exception list.
> Our how-to should illustrate that specific ciphers *can* be selected. But
> the
> specifics should be up to the underlying crypto support library. Users will
> keep their underlying crypto library more up-to-date than the httpd server
> in the majority of cases.
> SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
> SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
> are our current default config recommendations (and Tomcat's, FWIW).

We probably should use "DEFAULT:!MEDIUM:!LOW" (we already forcibly
exclude EXPORT in the code) instead of "HIGH:MEDIUM", that's supposed
to be up to date with security.

> Very shortly, !SHA1 is going to be added to that list. This ends at year end
> AIUI, and it becomes most difficult to obtain a commercial non-SHA256
> signed cert.

SHAx is used for MAC, and does have to match certificates signing.
If we exclude SHA1, we break clients capable of AES{128,256}-SHA (or
DHE-*-SHA, or 3DES-SHA) only, that's the same as providing a hardened
CipherSuite only.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message