On Fri, Aug 4, 2017 at 4:26 AM, Stefan Eissing <stefan.eiss...@greenbytes.de> wrote: > I talked about some kind of SSL Policy definition in httpd's configuration > in the past and am now about to get serious about it. Here is what I wan to > do: > > Recap: the general idea is > 2. Provide a set of already defined policies that either follow a public > definition (like the Mozilla security classes) or express our idea of > how configuration should look like.
I read this aspect at this as more of a weakness than a benefit. OpenSSL is more likely to be promptly updated by our users than httpd itself. Where ever httpd is overriding OpenSSL preferences, we will simply be prolonging the use of discouraged policy. If a cipher is changed upstream in OpenSSL from HIGH to MEDIUM strength (or dropped entirely), due to the discovery of a weakness in the cipher, I believe it is important for httpd to pick up on that signal without upgrade or recompilation.