2017-05-03 2:29 GMT+02:00 Graham Leggett <[email protected]>: > On 02 May 2017, at 3:19 PM, Stefan Eissing <[email protected]> > wrote: > > How can we help Mr and Ms Normal to stay up to date on these things? > > - We cannot rewrite their config unasked. We need to be backward > compatible. > - Our defaults nowadays are dangerously unsafe, so users MUST do their own > settings. > > I advocate that we need (yet another!) SSL directive where administrators > can declare their *intent*. > > A. "I want my site safe and usable with modern browsers!" > B. "I want a safe setting, but people with slightly out-dated clients > should be served as well." > C. "I sadly need compatibility to some very old clients.” > > > This makes a lot of sense, and there is a lot of precedent for this. > > AWS load balancers take an “intent” policy string based on a date, with > the option of a “default” value: > > http://docs.aws.amazon.com/elasticloadbalancing/latest/ > classic/ssl-config-update.html > > ------------------------------------------ > | DescribeLoadBalancerPolicies | > +----------------------------------------+ > | PolicyName | > +----------------------------------------+ > | ELBSecurityPolicy-2016-08 | > | ELBSecurityPolicy-2015-05 | > | ELBSecurityPolicy-2015-03 | > | ELBSecurityPolicy-2015-02 | > | ELBSecurityPolicy-2014-10 | > | ELBSecurityPolicy-2014-01 | > | ELBSecurityPolicy-2011-08 | > | ELBSample-ELBDefaultCipherPolicy | > | ELBSample-OpenSSLDefaultCipherPolicy | > +----------------------------------------+ > > Implementation wise, we could have a directive that is used to select the > default values of various parameters, for example: > > SSLSecurityLevel latest > > or > > SSLSecurityLevel 2017-05 >
Really like this idea, it seems a good compromise to me. While reading the email thread I was worried about keeping separate configuration and implementation, but this approach makes me feel better. One thing that I'd would really like to see as admin would be a quick way to dump/inspect/visualize what SSLSecurityLevel 2017-05 corresponds to (SSLDirectiveX set to foo, SSLDirectiveY set to bar, etc..). Even better would be to have also a little bit of description attached to the dump, or just a reference to the docs. Luca
