On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Tue, May 5, 2015 at 3:19 AM, <wr...@apache.org> wrote: >> Author: wrowe >> Date: Tue May 5 01:19:20 2015 >> New Revision: 1677721 >> >> URL: http://svn.apache.org/r1677721 > [] >> Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in >> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1677721&r1=1677720&r2=1677721&view=diff >> ============================================================================== >> --- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in (original) >> +++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Tue May 5 01:19:20 2015
>> +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 >> +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > There possibly should be ":!EXP" in both suites above. Why? To make it more wordy? Strongly -1, this is why too many users get their cipherlists wrong, they change one thing in an overly complex expression already. EXP is classified LOW, already excluded above. openssl ciphers 'cipherlist' with and optional -v arg will show you the resulting matchset of any particular cipher list against the compiled-in ciphers. Therefore... openssl ciphers -v 'ALL:!HIGH:!MEDIUM' | grep exp Note that this was not an editorial commit, it was a scope change that was buried hidden from the 2.4 commit log. This simply brings 2.2 in line with 2.4 and trunk. > Also I'd suggest removing RC4 from the latter suite, it is not > considered secure ([1]), and maybe replace it with "AES128-SHA256" > (both secure and fast with SNI). > > [1] http://www.isg.rhul.ac.uk/tls/ It's branded as less secure as things stand. I'd be happy if we ripped that example from all 2.2/2.4/trunk branches. That said, if you want to retain it, do you have benchmarks to point us at? > Ideally, we probably should merge r1526168 and r1527291 from trunk. Happy to consider such a proposal.
