I like the proposal. However I see no need for the 'C' categor,
y and disagree about changing defaults during any future 2.next bump.

HonorCipherOrder, as an example, must be inverted.

Users requiring 'C' can override things to make that happen.

I see two 'quick start' one-line configs, strictly modern and cpu
intensive, or equally modern and just a bit more relaxed about cipher
strength.

Any other client is no longer interoperable with any popular site,
following final changes by issues in Dec '16.



On May 2, 2017 8:19 AM, "Stefan Eissing" <stefan.eiss...@greenbytes.de>
wrote:

> With 71 configuration directives, mod_ssl can manage probably every user's
> needs, but two: Mr and Ms Normal.
>
> Ms and Mr Normal have a basic understanding about SSL, sorry TLS, and what
> a cipher is, but HonorCipherOrder is already a bit much and on OCSP
> stapling, the mind becomes a little bit hazy. They are smart and well
> educated in their field of work, they just do have not the time to read up
> on these things.
>
> But they have heard about internet security and want people visiting their
> site to be safe (which is always relative).
>
> What they do now is take Apache, google a bit around, find something on
> stackoverflow or maybe even the Mozilla config generator (
> https://mozilla.github.io/server-side-tls/ssl-config-generator/) and copy
> and paste what they find into their config file.
>
> And then they never touch the config for the next couple of years. They
> will get updates and security fixes from the Linux distribution, but as
> long as the server runs, they will not investigate into a better SSL
> setting any more.
>
> But everyone working in internet security know that these settings are
> (and maybe forever will be) in flux. Ciphers fall out of grace, new
> protocol versions rise and features like OCSP and HSTS get invented.
>
> How can we help Mr and Ms Normal to stay up to date on these things?
>
> - We cannot rewrite their config unasked. We need to be backward
> compatible.
> - Our defaults nowadays are dangerously unsafe, so users MUST do their own
> settings.
>
> I advocate that we need (yet another!) SSL directive where administrators
> can declare their *intent*.
>
> A. "I want my site safe and usable with modern browsers!"
> B. "I want a safe setting, but people with slightly out-dated clients
> should be served as well."
> C. "I sadly need compatibility to some very old clients."
>
> and Apache would figure out what these intentions mean for protocols,
> ciphers, ordering, ocsp and other settings. We ship updates with every
> release when they make sense to us. We could even ship a CVE Fix downstream
> that removes a certain cipher and it would apply to all sites using this
> new setting.
>
> Does this make sense? I personally would use this on my sites...
>
> Cheers,
>
> Stefan
>
> PS. Yes, I would use Mozilla's modern/intermediate/old definitions, but
> that discussion would be the next step.
>
>
>
>
>

Reply via email to