Am 02.05.2017 um 15:19 schrieb Stefan Eissing:
With 71 configuration directives, mod_ssl can manage probably every user's 
needs, but two: Mr and Ms Normal.

Ms and Mr Normal have a basic understanding about SSL, sorry TLS, and what a 
cipher is, but HonorCipherOrder is already a bit much and on OCSP stapling, the 
mind becomes a little bit hazy. They are smart and well educated in their field 
of work, they just do have not the time to read up on these things.

But they have heard about internet security and want people visiting their site 
to be safe (which is always relative).

What they do now is take Apache, google a bit around, find something on 
stackoverflow or maybe even the Mozilla config generator 
( and copy and 
paste what they find into their config file.

And then they never touch the config for the next couple of years. They will 
get updates and security fixes from the Linux distribution, but as long as the 
server runs, they will not investigate into a better SSL setting any more.

But everyone working in internet security know that these settings are (and 
maybe forever will be) in flux. Ciphers fall out of grace, new protocol 
versions rise and features like OCSP and HSTS get invented.

How can we help Mr and Ms Normal to stay up to date on these things?

- We cannot rewrite their config unasked. We need to be backward compatible.
- Our defaults nowadays are dangerously unsafe, so users MUST do their own 

I advocate that we need (yet another!) SSL directive where administrators can 
declare their *intent*.

A. "I want my site safe and usable with modern browsers!"
B. "I want a safe setting, but people with slightly out-dated clients should be 
served as well."
C. "I sadly need compatibility to some very old clients."

and Apache would figure out what these intentions mean for protocols, ciphers, 
ordering, ocsp and other settings. We ship updates with every release when they 
make sense to us. We could even ship a CVE Fix downstream that removes a 
certain cipher and it would apply to all sites using this new setting.

Does this make sense? I personally would use this on my sites...



PS. Yes, I would use Mozilla's modern/intermediate/old definitions, but that 
discussion would be the next step.

I like the idea. I reminds me of OpenSSL security levels

although there is no 1:1 map, more a similarity of principles.

We have to see, how easy we get consensus on the "intent" names and actual settings associated to those.

Since we then have possibly conflicting config settings (your new "intent" config directive and existing detailed config directives) we need to make sure, how merging (conflict resolution) is done (even within the global server or one vhost):

a) in order of occurrence in the config files (order of reading)

b) the most secure settings win

c) first apply the "intent" directive, then merge the existing detail settings on top

I guess c) would be the most logical, but probably needs some additional feature in config parsing.



Reply via email to