On Tue, May 5, 2015 at 12:35 PM, Eric Covener <cove...@gmail.com> wrote:
> On Tue, May 5, 2015 at 1:28 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere, > > but will be, soon enough). > > > > While I agree md4 is less desirable, if we were going to make a > > recommendation, > > I'd go with favoring aes128 over md4 but retain md4 as a backup, in > forced > > server > > preference. And label this a known-insecure configuration. > > Do you mean RC4? I think the conventional wisdom (of the moment) is > to remove RC4 completely. > Yes - sorry. I suggest we remove the 'optimized' example altogether, and will go ahead with that if nobody objects. We obviously don't keep up. I will also duplicate the SSLCipherList to SSLProxyCipherList (all examples are now in global scope). I propose we replace the 'optimized' example with the following; # Effective 2017, only TLSv1.2 ciphers should be in use. # Older ciphers should be disallowed as soon as possible, however # much older clients such as IE6 SP2 on XP may still be in use. # Replace the SSLCipherSuite and SSLProxyCipherSuite directives # above with these directives to restrict mod_ssl to TLSv1.2 ciphers # as soon as this is practical. # SSLCipherSuite TLSv1.2:!eNULL # SSLProxyCipherSuite TLSv1.2:!eNULL Thoughts?
