Here is my proposed global config for httpd.conf.in for 2.4 and 2.2, which I believe mirrors the 'MUST' of RFC 7525. This includes restoring the SSLProtocol -SSLv3 for 2.4 so that it is plainly visible, irrespective of system defaults.
For trunk, I propose we drop TLSv1 and TLSv1.1 protocols and simply adopt the recommended cipher list illustrated below (!SSLv3) in the default extra/httpd-ssl.conf source, following the SHOULD recommendations. Comments? --- # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 # Effective 2017, only TLSv1.2 ciphers should be in use. # Older ciphers should be disallowed as soon as possible, however # much older clients (such as IE6 SP2 on XP) may still be in use. # Replace the SSLCipherSuite and SSLProxyCipherSuite directives # above with these directives to restrict mod_ssl to TLSv1.2 ciphers # as soon as practical. # SSLCipherSuite HIGH:MEDIUM:!SSLv3 # SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3 # As user agents such as web browsers are not configured for the user's # own preference of either security or performance, and in every case # this should be the prerogative of the web server administrator who must # manage cpu load, enforce server's preferred cipher order. SSLHonorCipherOrder on # SSL Protocol support: # List the protocol versions which clients are allowed to connect with. # Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) # should be disabled as quickly as practical. By 2017, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 On Wed, May 6, 2015 at 4:32 AM, Steffen <i...@apachelounge.com> wrote: > Maybe already known. > > The SSL/TLS best current practice RFC has been approved : > https://www.rfc-editor.org/rfc/rfc7525.txt > > Steffen > > >
