+SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL Reminds me a bit of: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/
Can't we simplify that to: SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5 Since it's basically the same: i.ga...@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'|md5sum - c1977a5b8a9cea42329be929398c6941 - i.ga...@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL' | md5sum - c1977a5b8a9cea42329be929398c6941 - OpenSSL experts might want to disagree with me at this point. Bye, i ----- "Rainer Jung" <rainer.j...@kippdata.de> wrote: > On 21.07.2010 01:33, gst...@apache.org wrote: > > Author: gstein > > Date: Tue Jul 20 23:33:18 2010 > > New Revision: 966055 > > > > URL: http://svn.apache.org/viewvc?rev=966055&view=rev > > Log: > > Fix up some SSL configuration, per issue #49484. IE6 had a hotfix > released > > for this problem quite a while back (see kb 921090), so restrict > the > > modified behavior to the old/unsupported browsers. > > > > * docs/conf/extra/http-ssl.conf.in: > > (): tighten up the regex to only select old MSIE browsers for > the > > downgrade in http behavior. this allows IE6 to run much > faster. > > > > Modified: > > httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in > > > > Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in > > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=966055&r1=966054&r2=966055&view=diff > > > ============================================================================== > > --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original) > > +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Tue Jul 20 > 23:33:18 2010 > > @@ -218,7 +218,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/ > > # Similarly, one has to force some clients to use HTTP/1.0 to > workaround > > # their broken HTTP/1.1 implementation. Use variables > "downgrade-1.0" and > > # "force-response-1.0" for this. > > -BrowserMatch ".*MSIE.*" \ > > +BrowserMatch ".*MSIE [1-5].*" \ > > nokeepalive ssl-unclean-shutdown \ > > downgrade-1.0 force-response-1.0 > > There was a discussion[1,2] at some ApacheCon about improving defaults > > for this BrowserMatch (and for SSLCipherSuite). The discussion ended > with the suggestion: > > BrowserMatch "MSIE" ssl-unclean-shutdown > BrowserMatch "MSIE [2-5]" nokeepalive downgrade-1.0 > force-response-1.0 > > So should we keep "ssl-unclean-shutdown" for all MSIE versions? > > Regards, > > Rainer > > [1] http://marc.info/?t=125754163900002&r=1&w=2 > [2] http://marc.info/?t=125754970200003&r=1&w=2 -- Igor Galić Tel: +43 (0) 699 122 96 338 Mail: i.ga...@brainsware.org URL: http://brainsware.org/
