On Tue, May 2, 2017 at 4:42 PM, Daniel <dferra...@gmail.com> wrote: > ould these changes/choices be permanent after different releases of httpd? > If not, what if httpd "choices" settings as commented at the beginning of > this thread screw the need for a very important client with java 1.crap > which can handle DH just fine but after accepting the ciphert if the private > key is bigger than XXXX it will fail, maybe the Mr. and Ms. Normal won't be > able to figure out since they changed nothing and the thing just started > failing for them?
They upgraded. The few broken users will have a better chance of understanding what changed from CHANGES or the manual then most users have of understanding what "HIGH:!PSK:!aNULL:!EXP:!SRP" really "means". I think to be useful, reasonable SSL defaults have to be subject to change in maintenance (and over-rideable) -- Eric Covener cove...@gmail.com