Hi Dirk, >> This doesn't work on EL7 or EL6. If this exact SSLCipherSuite is used, >> Apache fails to restart: > > No this is not correct. > > I did replace the original SSLCipherSuite within a site<nr> with the > SSLCipherSuite I posted and it is working with an A rating a no WEAK Ciphers
Yeah, I just tried that as well and it indeed works there, but not if we use Apache2::ServerUtil() to dynamically create that config. Apache is probably more forgiving if unsupported ciphers are statically loaded via the Apache config files than it is when we try to shove the same config in via Apache2::ServerUtil(). But the fact remains: That line contains unsupported ciphers. I'd rather not deploy a "faulty" config. So I'll see if I can identify the ciphers that aren't working and will see if I can get us something that works without complaints. > +1 for your nginx idea and not only as proxy for 443 also for 80. You mean let us use Nginx as proxy for *both* port 80 and 443? That's an interesting idea. Just for the others who haven't been privy to our prior discussion about this: Both Dirk and I love Nginx, because it blows Apache out of the water in many regards. It's lean, mean, easy to configure and pretty darn fast. Nginx has a focus on serving webpages fast. Apache has the focus on providing a heap of extra functionality that turn it into a Swiss army knife that can do everything. But as a downside Apache does nothing exceptionally well or fast. However: As is we're using features and functions of Apache that Nginx doesn't provide. Should we ever make an outright switch from Apache to Nginx, we would loose functionality: - No more .htaccess - No PHP via DSO - No PHO via DSO + mod_ruid2 - No more apache_bandwith limits for Vsites - We might loose Tomcat support - PHP only via PHP-FPM or suPHP - With Nginx we get HTTP/2, which our Apache can't do yet. So a straight up substitute of Nginx for Apache won't fly for us. But: We can use Nginx as a proxy, eliminating most of these drawbacks while gaining most of the benefits for a slight increase of complexity. If that's worth it probably lies in the eyes of the beholder and is up to discussion. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx