> Am 05.08.2017 um 13:28 schrieb Gillis J. de Nijs <gil...@jink.net>: > > When you use Let's Encrypt, the default is to include > /etc/letsencrypt/options-ssl-apache.conf in your config. That's (presumably) > updated whenever you update the certbot package. Similarly, I suppose you > can just put your own SSL settings in a file that you include. I was trying > some settings, so I have /etc/apache2/ssl/cipherlist-strong.conf and > /etc/apache2/ssl/mozilla-modern.conf for example. But I don't think this > allows for merging of policies.
As you might know, I am working on getting Let's Encrypt certificates into Apache natively. So, I am looking for ways to provide easy SSL configurations for people that ship with Apache (the configs, not the people). Without affecting any existing configs and without taking anything away from operators, of course. -Stefan > On Sat, Aug 5, 2017 at 2:17 AM, Daniel Ruggeri <drugg...@primary.net> wrote: > If I extrapolate on the idea of what Nick is saying, it sounds like it could > be a proposal to simply define these SSL policies in a macro. Personally, I > prefer that approach over adding another set of directives (but it's a > preference, not an opposition). The downside is that mod_macro would need to > be loaded to take advantage of the macros we define. Surely some autoconf > magics could be used that say 'if mod_macro and mod_ssl are compiled, render > this set of macros in the ssl section.' > -- > Daniel Ruggeri > > From: Luca Toscano <toscano.l...@gmail.com> > Sent: August 4, 2017 6:38:16 AM CDT > To: Apache HTTP Server Development List <dev@httpd.apache.org>, > nickgea...@gmail.com > Subject: Re: SSLPolicy > > Hi Nick, > > 2017-08-04 13:06 GMT+02:00 Nick Gearls <nickgea...@gmail.com>: > This can be done using mod_macro without any additional code > > my 2c: Stefan's point is to simplify the management of things that have been > done up to now using workarounds and elegant hacks: > > On 04-08-2017 11:26, Stefan Eissing wrote: > > The Benefits I'd like to achieve with this: > A. A name makes it easier to talk about used/recommended configurations. It > also makes it easy for admins to apply a known set of policies. It is > less error prone. > B. SSLPolicy definitions can be updated by us or by distributions, since the > config defining the policies need not be edited by the user, e.g. can be > replaced in an update. This way, a broken cipher/protocol can be updated > away in policies we/distributions define. This should help increase > security > of https on the internet. > > I agree that mod_macro is flexible enough to improve the reusability of > httpd's configuration, but I don't think that the goals that Stefan has in > mind are satisfiable with your proposed solution. > > Luca >
