On Tue, May 26, 2015 at 11:45 AM, Andy Wang <aw...@ptc.com> wrote: > > On 05/26/2015 11:25 AM, William A Rowe Jr wrote: > >> On Tue, May 26, 2015 at 10:45 AM, Yann Ylavic <ylavic....@gmail.com >> <mailto:ylavic....@gmail.com>> wrote: >> >> On Tue, May 26, 2015 at 5:29 PM, Andy Wang <aw...@ptc.com >> <mailto:aw...@ptc.com>> wrote: >> > >> >> # SSL Cipher Suite: >> >> # List the ciphers that the client is permitted to negotiate. >> >> # See the mod_ssl documentation for a complete list. >> >> SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 >> >> SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 >> > >> > !aNULL isn't needed? >> >> No since !aNULL:!eNULL:!EXP is forcibly added to the configured >> ciphersuite. >> >> >> A legitimate question, however. The example should document this IMHO. >> Getting right on that. >> >> > I initially thought openssl disabled the NULL ones by default but when i > started playing with openssl cipher strings and saw them I got confused. > Didn't even consider that httpd did it automatically. Documenting it would > be a nice touch. Thanks for doing that. >
As it turns out, 0.9.2b disabled aNULL/eNULL by default. Export ciphers are disabled by default as of 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. Here's my proposed comment to inject in trunk/2.4/2.2 default httpd-ssl.conf - any adjustments here? # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
