On 18.11.2011 18:47, Rainer Jung wrote: > Fine with me. Current SSLCipherSuite for 2.2 definitely needs > improvement and latest 2.4 should be the way to go. > > Except: Since SSLv2 is still available for 2.2, the -SSLv2 is needed in > the cipher list. > > Please feel free to go ahead an remove my proposal.
Ok, done (r1203962). There's no need to have -SSLv2 in SSLCipherSuite, because "!MD5" will already blow away all those ciphers (SSLv2 only uses MD5). What makes sense, OTOH, is adding "SSLProtocol all -SSLv2" to the 2.2.x config - this makes sure that SSLv2 isn't used even if an admin later changes the cipher list and "accidentally" reintroduces SSLv2 ciphers. Kaspar
