Hello, Sorry for the intrusion since I'm no dev.
I am a bit concerned about the implications something like this may bring to you guys, let me explain. Openssl aliases were made for something like that (HIGH MEDIUM LOW). Although we all may agree Aliases are not great, with a little tweaking someone can get a reasonable secure and compatible ciphersuite settings for the time being, like HIGH:!PSK:!aNULL:!EXP:!SRP or similar. The difference between slightly out-dated clients and very old clients can yield lots of options as the cipher business is something very "granular" (can't explain it better) and at the end of the day it is the admin of the site the person who knows/should know which clients it is handling or wants to handle and the security they need. After all, Mr. and Ms. Normal are not very normal if they leave their SSL settings without review for long periods of time. Would these changes/choices be permanent after different releases of httpd? If not, what if httpd "choices" settings as commented at the beginning of this thread screw the need for a very important client with java 1.crap which can handle DH just fine but after accepting the ciphert if the private key is bigger than XXXX it will fail, maybe the Mr. and Ms. Normal won't be able to figure out since they changed nothing and the thing just started failing for them? Maybe stepping on the "site admin's" business in favour of making it easier for them with new settings can be opening a can of worms, since even if we may document it quite well, well, we know "Mr. and Ms. Normal" may skeep reading about that and forget about the implications. Hope I didn't bring in too much noise. Regards -- *Daniel Ferradal*
