On 05/06/2015 07:22 PM, William A Rowe Jr wrote:
Here is my proposed global config for httpd.conf.in
<http://httpd.conf.in> for 2.4 and 2.2, which I believe mirrors the
'MUST' of RFC 7525.
So new default configs are improved, and that's great.
Any joint interest in maintaining a "guide to implementing SSL/TLS best
practices" in the documentation for those that don't normally see our
latest/greatest default configuration and/or need some extra prose
around it?
A start would be:
* list source material for best practices
* describe how known tradeoffs (such as blocking old clients) are
accommodated in the specific configuration recommendations
* the actual configuration related to best SSL/TLS practices from our
current default SSL configs
* hints on how to configure these in our past releases as well as with
distributions that have their own idea of file layout/own defaults
