On 16 Oct 2015, at 12:56 PM, Stefan Eissing <[email protected]> wrote:
> I am not blacklisting ciphers for the whole server. I try to define > the security settings required for HTTP/2 as defined in the standard - > as a configurable directive. > > There is no problem with denying HTTP/2 support for an IE8. I am wondering whether the cipher blacklist shouldn’t be a configurable list with a default set of RFC compliant values in the default config file, perhaps with shortcuts like naming a blacklist after an RFC. Fitting this in with the existing infrastructure this could be as simple as extending the SSLCipherSuite directive to support this: SSLCipherSuite -RFC7540 Maybe this is actually an openssl problem rather than an httpd problem, it could be that openssl needs to be taught how to blacklist RFC7540 as a group. Regards, Graham —
