On Wed, Jun 26, 2013 at 2:35 PM, William A. Rowe Jr. <[email protected]> wrote: >> > If we have another vote supporting only the -SSLv2 / default ciphers >> > bits from rjung's proposed patch to httpd.conf.in - then I'm also >> > happy to kill SSLv2 from the default config of this final tarball. >> > I've gone ahead and created a patch of that small subset for >> > consideration in http://people.apache.org/~wrowe/2.0-ssl-noV2.patch > > I realized that the ~rjung patch was missing the indicated MSIE changes, > and the ssl how-to docs disagreed with the new config, it seems both of > those patches has slipped from his changeset. > > I've re-proposed the patch with those two additional changes, and would > appreciate a quick once-over to confirm it all looks good. The CHANGES > patch is probably more illuminating to reviewers than the STATUS entry > itself. >
I am personally just barely -0 to default conf change this late in life (half because I assume people don't pick it up, half because some people might and not be expecting such changes for the "final" maintenance release). The cipher strings make my head spin which probably adds to it.
