On Tue, May 5, 2015 at 3:19 AM, <wr...@apache.org> wrote: > Author: wrowe > Date: Tue May 5 01:19:20 2015 > New Revision: 1677721 > > URL: http://svn.apache.org/r1677721 [] > Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1677721&r1=1677720&r2=1677721&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in (original) > +++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Tue May 5 > 01:19:20 2015 > @@ -49,6 +49,24 @@ Listen @@SSLPort@@ [] > +# SSL Cipher Suite: > +# List the ciphers that the client is permitted to negotiate. > +# See the mod_ssl documentation for a complete list. > +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > + > +# Speed-optimized SSL Cipher configuration: > +# If speed is your main concern (on busy HTTPS servers e.g.), > +# you might want to force clients to specific, performance > +# optimized ciphers. In this case, prepend those ciphers > +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > +# Caveat: by giving precedence to RC4-SHA and AES128-SHA > +# (as in the example below), most connections will no longer > +# have perfect forward secrecy - if the server's key is > +# compromised, captures of past or future traffic must be > +# considered compromised, too. > +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
There possibly should be ":!EXP" in both suites above. Also I'd suggest removing RC4 from the latter suite, it is not considered secure ([1]), and maybe replace it with "AES128-SHA256" (both secure and fast with SNI). Ideally, we probably should merge r1526168 and r1527291 from trunk. [1] http://www.isg.rhul.ac.uk/tls/
