On Wed, Jun 26, 2013 at 7:43 PM, Eric Covener <[email protected]> wrote:
> On Wed, Jun 26, 2013 at 2:35 PM, William A. Rowe Jr. > <[email protected]> wrote: > >> > If we have another vote supporting only the -SSLv2 / default ciphers > >> > bits from rjung's proposed patch to httpd.conf.in - then I'm also > >> > happy to kill SSLv2 from the default config of this final tarball. > >> > I've gone ahead and created a patch of that small subset for > >> > consideration in http://people.apache.org/~wrowe/2.0-ssl-noV2.patch > > > > I realized that the ~rjung patch was missing the indicated MSIE changes, > > and the ssl how-to docs disagreed with the new config, it seems both of > > those patches has slipped from his changeset. > > > > I've re-proposed the patch with those two additional changes, and would > > appreciate a quick once-over to confirm it all looks good. The CHANGES > > patch is probably more illuminating to reviewers than the STATUS entry > > itself. > > > > I am personally just barely -0 to default conf change this late in > life (half because I assume people don't pick it up, half because some > people might and not be expecting such changes for the "final" > maintenance release). The cipher strings make my head spin which > probably adds to it. > I was a bit confused trying to tie some of the changes to newer branches. Maybe the confusion is that we're ahead of 2.2.x in some respects. E.g., 2.2.x's ssl_howto still says to use this for strong encryption: SSLProtocol all SSLCipherSuite HIGH:MEDIUM -- Born in Roswell... married an alien... http://emptyhammock.com/
