On Wed, May 27, 2015 at 5:58 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Tue, May 26, 2015 at 11:45 AM, Andy Wang <aw...@ptc.com> wrote: >> >> I initially thought openssl disabled the NULL ones by default but when i >> started playing with openssl cipher strings and saw them I got confused. >> Didn't even consider that httpd did it automatically. Documenting it would >> be a nice touch. Thanks for doing that. > > > As it turns out, 0.9.2b disabled aNULL/eNULL by default.
Yes, if you don't specify any ciphersuite (ie. no SSLCipherSuite in httpd). > Export ciphers are > disabled by default as of 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. AFAICT, they are not even selectable (not in ALL and EXP is ignored)... > > Here's my proposed comment to inject in trunk/2.4/2.2 default httpd-ssl.conf > - any adjustments here? > > # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, > # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. +1