When you use Let's Encrypt, the default is to include /etc/letsencrypt/options-ssl-apache.conf in your config. That's (presumably) updated whenever you update the certbot package. Similarly, I suppose you can just put your own SSL settings in a file that you include. I was trying some settings, so I have /etc/apache2/ssl/cipherlist-strong.conf and /etc/apache2/ssl/mozilla-modern.conf for example. But I don't think this allows for merging of policies.
On Sat, Aug 5, 2017 at 2:17 AM, Daniel Ruggeri <drugg...@primary.net> wrote: > If I extrapolate on the idea of what Nick is saying, it sounds like it > could be a proposal to simply define these SSL policies in a macro. > Personally, I prefer that approach over adding another set of directives > (but it's a preference, not an opposition). The downside is that mod_macro > would need to be loaded to take advantage of the macros we define. Surely > some autoconf magics could be used that say 'if mod_macro and mod_ssl are > compiled, render this set of macros in the ssl section.' > -- > Daniel Ruggeri > > ------------------------------ > *From:* Luca Toscano <toscano.l...@gmail.com> > *Sent:* August 4, 2017 6:38:16 AM CDT > *To:* Apache HTTP Server Development List <dev@httpd.apache.org>, > nickgea...@gmail.com > *Subject:* Re: SSLPolicy > > Hi Nick, > > 2017-08-04 13:06 GMT+02:00 Nick Gearls <nickgea...@gmail.com>: > >> This can be done using mod_macro without any additional code > > > my 2c: Stefan's point is to simplify the management of things that have > been done up to now using workarounds and elegant hacks: > > >> On 04-08-2017 11:26, Stefan Eissing wrote: >>> >>> >>> The Benefits I'd like to achieve with this: >>> A. A name makes it easier to talk about used/recommended configurations. >>> It >>> also makes it easy for admins to apply a known set of policies. It is >>> less error prone. >>> B. SSLPolicy definitions can be updated by us or by distributions, since >>> the >>> config defining the policies need not be edited by the user, e.g. >>> can be >>> replaced in an update. This way, a broken cipher/protocol can be >>> updated >>> away in policies we/distributions define. This should help increase >>> security >>> of https on the internet. >>> >> > I agree that mod_macro is flexible enough to improve the reusability of > httpd's configuration, but I don't think that the goals that Stefan has in > mind are satisfiable with your proposed solution. > > Luca >