With 71 configuration directives, mod_ssl can manage probably every user's
needs, but two: Mr and Ms Normal.
Ms and Mr Normal have a basic understanding about SSL, sorry TLS, and what a
cipher is, but HonorCipherOrder is already a bit much and on OCSP stapling, the
mind becomes a little bit hazy. They are smart and well educated in their field
of work, they just do have not the time to read up on these things.
But they have heard about internet security and want people visiting their site
to be safe (which is always relative).
What they do now is take Apache, google a bit around, find something on
stackoverflow or maybe even the Mozilla config generator
(https://mozilla.github.io/server-side-tls/ssl-config-generator/) and copy and
paste what they find into their config file.
And then they never touch the config for the next couple of years. They will
get updates and security fixes from the Linux distribution, but as long as the
server runs, they will not investigate into a better SSL setting any more.
But everyone working in internet security know that these settings are (and
maybe forever will be) in flux. Ciphers fall out of grace, new protocol
versions rise and features like OCSP and HSTS get invented.
How can we help Mr and Ms Normal to stay up to date on these things?
- We cannot rewrite their config unasked. We need to be backward compatible.
- Our defaults nowadays are dangerously unsafe, so users MUST do their own
I advocate that we need (yet another!) SSL directive where administrators can
declare their *intent*.
A. "I want my site safe and usable with modern browsers!"
B. "I want a safe setting, but people with slightly out-dated clients should be
served as well."
C. "I sadly need compatibility to some very old clients."
and Apache would figure out what these intentions mean for protocols, ciphers,
ordering, ocsp and other settings. We ship updates with every release when they
make sense to us. We could even ship a CVE Fix downstream that removes a
certain cipher and it would apply to all sites using this new setting.
Does this make sense? I personally would use this on my sites...
PS. Yes, I would use Mozilla's modern/intermediate/old definitions, but that
discussion would be the next step.