On Wed, 26 Jun 2013 19:53:21 -0400 Jeff Trawick <[email protected]> wrote:
> On Wed, Jun 26, 2013 at 7:43 PM, Eric Covener <[email protected]> > wrote: > > > On Wed, Jun 26, 2013 at 2:35 PM, William A. Rowe Jr. > > <[email protected]> wrote: > > >> > If we have another vote supporting only the -SSLv2 / default > > >> > ciphers bits from rjung's proposed patch to httpd.conf.in - > > >> > then I'm also happy to kill SSLv2 from the default config of > > >> > this final tarball. I've gone ahead and created a patch of > > >> > that small subset for consideration in > > >> > http://people.apache.org/~wrowe/2.0-ssl-noV2.patch > > > > > > I realized that the ~rjung patch was missing the indicated MSIE > > > changes, and the ssl how-to docs disagreed with the new config, > > > it seems both of those patches has slipped from his changeset. > > > > > > I've re-proposed the patch with those two additional changes, and > > > would appreciate a quick once-over to confirm it all looks good. > > > The CHANGES patch is probably more illuminating to reviewers than > > > the STATUS entry itself. > > > > > > > I am personally just barely -0 to default conf change this late in > > life (half because I assume people don't pick it up, half because > > some people might and not be expecting such changes for the "final" > > maintenance release). The cipher strings make my head spin which > > probably adds to it. We've been shipping those in 2.2 for a while, so I think you can trust they are good defaults, including the MSIE change. I expect that; * Most who update won't change their deployed config anyways * Most distributors long ago changed their defaults * The few users who watch deltas might be prompted to change their config * There's no saving those who are installing 2.0 fresh The docs for 2.0 are horrid anyways, and it would be good to brand each and every doc page as "The httpd 2.0 series and this associated documentation are no longer maintained. Refer to the documentation and package for the current stable release." > I was a bit confused trying to tie some of the changes to newer > branches. Maybe the confusion is that we're ahead of 2.2.x in some > respects. E.g., 2.2.x's ssl_howto still says to use this for strong > encryption: > > SSLProtocol all > SSLCipherSuite HIGH:MEDIUM I think that's wrong. We can drop SSLProtocol (no lingering SSLv2 support at all IIRC), and the docs should be updated, see; http://svn.apache.org/viewvc?view=revision&revision=1135241
