If I extrapolate on the idea of what Nick is saying, it sounds like it could be a proposal to simply define these SSL policies in a macro. Personally, I prefer that approach over adding another set of directives (but it's a preference, not an opposition). The downside is that mod_macro would need to be loaded to take advantage of the macros we define. Surely some autoconf magics could be used that say 'if mod_macro and mod_ssl are compiled, render this set of macros in the ssl section.' -- Daniel Ruggeri
-------- Original Message -------- From: Luca Toscano <toscano.l...@gmail.com> Sent: August 4, 2017 6:38:16 AM CDT To: Apache HTTP Server Development List <dev@httpd.apache.org>, nickgea...@gmail.com Subject: Re: SSLPolicy Hi Nick, 2017-08-04 13:06 GMT+02:00 Nick Gearls <nickgea...@gmail.com>: > This can be done using mod_macro without any additional code my 2c: Stefan's point is to simplify the management of things that have been done up to now using workarounds and elegant hacks: > On 04-08-2017 11:26, Stefan Eissing wrote: >> >> >> The Benefits I'd like to achieve with this: >> A. A name makes it easier to talk about used/recommended configurations. >> It >> also makes it easy for admins to apply a known set of policies. It is >> less error prone. >> B. SSLPolicy definitions can be updated by us or by distributions, since >> the >> config defining the policies need not be edited by the user, e.g. can >> be >> replaced in an update. This way, a broken cipher/protocol can be >> updated >> away in policies we/distributions define. This should help increase >> security >> of https on the internet. >> > I agree that mod_macro is flexible enough to improve the reusability of httpd's configuration, but I don't think that the goals that Stefan has in mind are satisfiable with your proposed solution. Luca